ClickCease TA547 Phishing Attack: German Companies Hit With Infostealer

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

TA547 Phishing Attack: German Companies Hit With Infostealer

Wajahat Raja

April 22, 2024 - TuxCare expert team

Researchers at Proofpoint have found out that the TA547 phishing attack campaigns have been targeting different German companies. Identified as TA547, the threat actor has been using an information stealer called Rhadamanthys to get its hand on important financial data of companies. This information is then used by several cybercriminal threat actors.

The TA547 phishing campaign used a PowerShell script that is suspected to have been generated by large language models (LLM) like Gemini, ChatGPT, and CoPilot. TA547 cyber threat actor is a financially motivated actor that is believed to have been active since November 2017. 


In this article, we will learn everything about the German organization’s phishing attack and see what it matters so much.


TA547 Phishing Attack History with AI

Cybersecurity threat TA547
is ill-famed for running phishing campaigns. The threat actor came to the limelight trafficking Trickbot but has used other cybercrime tools as well, such as Lumma stealer, StealC, NetSupport RAT, and Gozi. 

The major difference between previous TA547 phishing tactics and the latest one is that it has now started taking the help of AI for phishing campaigns. The LLM-generated code suggests that an AI chatbot was used to write it.


How Did TA547 Cyber Espionage Work?

Brief impersonation emails were the first step in the
TA547 phishing attack. One of the disguises used was Metro AG, the German retail company. There were password-protected ZIP files in the emails that had compressed LNK files. These LNK files triggered the Powershell script when they were executed, dropping the Rhadamanthys infostealer in the systems of German organizations.

A strange development was identified in the Powershell script; that is, it contained a hashtag, which was specific comments. This made the researchers conclude that the new TA547 phishing tactics included the use of AI as well.


Why Does the Cyber Attack on German Organizations Matter?

The TA547 cyber espionage campaign is an indication that
cybersecurity threat actors are evolving with time and using newer techniques for phishing and other campaigns to achieve their targets. 

Use of the compressed LNKs and LLM-generated code are a couple of such examples. LLMs like ChatGPT help cybersecurity threat actors such as TA547 to repurpose the techniques used by other threat actors for their own gains.


Is There Even a Worse AI Malware Which is to Come?

TA547 phishing attack shows the experimentation that has been going on with the use of artificial intelligence. Cybersecurity threat actors use AI to achieve their goals quickly and more effectively now. Although there are signs that some threat actors use AI on smaller levels for the purpose of enhancing their operations, a large-scale use is yet to be discovered apart from a couple of cases. 

This is because humans are still better at writing codes than AI softwares, and AI developers are also taking steps to prevent the misuse of their products by the cybersecurity threat actors like TA547.


Financially motivated campaigns have been on the rise in recent years. The
TA547 phishing attack underlines the importance of implementing proactive cybersecurity measures so that incidents like the German cybersecurity incident can be prevented.

The sources for this piece include articles in proofpoint and Dark Reading.


TA547 Phishing Attack: German Companies Hit With Infostealer
Article Name
TA547 Phishing Attack: German Companies Hit With Infostealer
German organizations have been targeted by a financial threat actor with an infostealer. Learn everything about the TA547 phishing attack here!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter