The email felt...off. Too generic. No personal details, just the usual "We love your content and want to collaborate!" kind of fluff. Then I looked at the sender's domain: djipartner[.]live. That didn’t feel official.

WARNING: The site is still live, I am not responsible for your actions! :)

I decided to perform a quick WHOIS lookup and found that this domain was registered 29 days ago...Boo! Definitely leaning towards a scam. I was looking forward to try out some gear from @DJIGlobal ...unless👀👀 👉👈

But hey, since I was already here, might as well have a little fun with it.

I checked out their website and one thing stood out—it specifically mentioned "For YouTube Partners". Okay, so this campaign is likely targeting YouTube Creators.

Once the page loaded, I went and clicked on “I am a Partner” and was immediately directed to a download page.

The site encourages its "partners" to download the materials, and upon clicking "Download Materials", I was immediately met with a list of instructions.

Great instructions don't you think?

The download was an archive (RAR) file, and when I tried to open it... password required.

At this point, I could’ve walked away, but nah, I wanted to see if I could get the password to access whatever content was in that archive. So I did what any rational person would do... and replied to the email. Heh.

Six hours later, my new "business partners" got back to me. Their reply was quite long, but buried in the email was the password!!

I got access to the contents and immediately my attention shifted towards a file with an extension of ".scr" commonly associated with screensavers, but one detail stood out: it was 88MB in size, far larger than a legitimate screensaver file.

I extracted the "Advertising" file and generated a SHA256 file hash then searched for it on VirusTotal. Eight vendors flagged it as malicious, labelling this file as a loader. In other words, this file is responsible to deliver additional malware.

Looking at its history, the file wasn’t new, it was first seen back in 2019.

Analysis showed that it contacts the IP 185[.]147[.]125[.]81 on port 5000.

It also dropped two DLL files, both communicating with the same IP and port.

Reviewing the behavior logs, I noted another IP: 45[.]150[.]32[.]106.

Searching this IP on VirusTotal showed that nine vendors had flagged it as malicious and a community comment labeling it as Rhadamanthys Stealer.

Taken from Malpedia: "According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines."

That was fun!