A zip attachment contains a img with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
Kaspersky cybersecurity experts: Victims navigate to a URL pointing to a ZIP archive with 2 files: a decoy document and a malicious LNK that leads to malware infection.
Cybersecurity experts: The malware core infrastructure was originally located in Ukraine. After the Russian invasion, it has moved “at home” or in Belarus.
The US CISA: It contains an improper access control flaw that allows for remote code execution. Adobe: It has been exploited in the wild in very limited attacks.