When you purchase through links on our site, we may earn an affiliate commission.Heres how it works.
The emails carried a PDF attachment with names like Document_[10 digits].prf and similar.
Organized actor
This malware downloads and runs additional payloads, including the Screenshotter custom toolset.
Should the attackers like what they see on the screenshots, they would proceed to deliver additional payloads.
There are some notable changes compared to the March campaign, though.
For example, the group decided to use PDF attachments with OneDrive links, which wasnt previously the case.
Earlier campaigns used macro-enabled Publisher attachments, or 404 TDS URLs, directly in the email body.
The recipients of the phishing emails were not named.
