The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, false invoice request from UK is the bait for BluStealer
False invoice request from UK is the bait for BluStealer. The compressed attachment of the “Order-Urgent” email contains an exe file – the malware. The stolen data is exfiltrated via Telegram API
A fake invoice request from the UK is the bait used to convey a new BluStealer campaign.
The compressed attachment of the “Order-Urgent” email contains an exe file – the malware. Stolen data is exfiltrated via Telegram API.
BluStealer (aka DarkClooud) is an infostealer that aims to exfiltrate credentials from nearly 40 applications (including VPN applications, FTP, browsers, mail clients); credit card information saved in browsers; downloaded e-mail messages and contacts from the address book of some e-mail clients. It also replaces cryptocurrency wallet addresses each time they are copied with its own wallets. This causes payments from infected machines to reach the authors of the malware campaign and not to the intended recipients.