The bait this time is the unexpected closure of the account and some pending messages. With the excuse of fixing the error, threat actors try to steal the credentials.
Asyncrat campaign also via payment request. The email false xlsx points to a fake site with a zip document. This contains a VBS with a powershell, which downloads the malware. C2 is the same as RemcosRAT
Asyncrat hides behind a fake payment request from a Chinese company. The email, also arrived in Italy, contains a fake xlsx file attached, which is actually a photo.
Opening it, you are directed to a fake site, which contains a compressed document in zip format, which simulates the purchase order.
Inside, however, there is a VBS file with Powershell, which downloads the malware.
This connects to the command and control server (220.127.116.11), the same one used since January by another malicious code: RemcosRAT.