The bait is running out of iCloud space and a 50GB gift. Objective: steal sensitive personal data and money.
Asyncrat campaign also via payment request. The email false xlsx points to a fake site with a zip document. This contains a VBS with a powershell, which downloads the malware. C2 is the same as RemcosRAT
Asyncrat hides behind a fake payment request from a Chinese company. The email, also arrived in Italy, contains a fake xlsx file attached, which is actually a photo.
Opening it, you are directed to a fake site, which contains a compressed document in zip format, which simulates the purchase order.
Inside, however, there is a VBS file with Powershell, which downloads the malware.
This connects to the command and control server (18.104.22.168), the same one used since January by another malicious code: RemcosRAT.