Water Orthrus’s New Campaigns Deliver Rootkit and Phishing Modules

Water Orthrus New Campaigns Deliver Rootkit and Phishing Modules


Water Orthrus has been active recently with two new campaigns. CopperStealth uses a rootkit to install malware on infected systems, while CopperPhish steals credit card information. This blog will provide the structure of the campaign and how they work.

By: Jaromir Horejsi, Joseph C Chen May 15, 2023 Read time:  ( words)

Since 2021, we have been tracking the activities of a threat actor we called Water Orthrus, which distributed CopperStealer malware via pay-per-install (PPI) networks. The threat actor has upgraded and modified the malware multiple times for different purposes, such as injecting network advertisements, acquiring personal information, and stealing cryptocurrency. We believe that they are associated with the threat campaign reported as “Scranos” in 2019.

Figure 1. CopperStealth infection chain

In March 2023, we observed two campaigns delivering new malware that we named CopperStealth and CopperPhish. Both malware have characteristics that are similar to those of CopperStealer and are likely developed by the same author, leading us to believe that these campaigns are likely Water Orthrus’ new activities.

Figure 2. CopperPhish infection chain

This blog post discusses our analysis of CopperStealth’s and CopperPhish’s infection chains, and how they are similar to Water Orthrus.

CopperStealth campaign

Read more

Explore the site

More from the blog

Latest News