The compressed attachment of the “Order_list_30052023” message contains an exe file: the malware. Stolen data is exfiltrated via Telegram API.
Cybercrime, Industrial Spy now has its own ransomware

Industrial Spy now has its own ransomware. Bleeping Computer cybersecurity experts: The data extortion marketplace partnered with adware loaders and fake crack sites to distribute the malware
Industrial Spy now has its own ransomware. It’s has been denounced by Bleeping Computer cybersecurity experts. The data extortion marketplace sells different types of stolen data, ranging from selling ‘premium’ data for millions of dollars to individual files for as little as $2. To promote their service, they partnered with adware loaders and fake crack sites to distribute malware that would create README.txt files on a device. The malware steals the victim’s data and encrypts it. Furthermore, it also uses a filemarker of 0xFEEDBEEF, which we have not seen before in a ransomware family. Finally, the ransom notes contain a TOX id that victims can use to contact the cybercrime gang to negotiate.