A zip attachment contains a img with an exe: the malware. The other, a pdf downloading a zip with an exe: the same malware. The data is exfiltrated via SMTP.
Kaspersky cybersecurity experts: Victims navigate to a URL pointing to a ZIP archive with 2 files: a decoy document and a malicious LNK that leads to malware infection.
Cybersecurity experts: The malware core infrastructure was originally located in Ukraine. After the Russian invasion, it has moved “at home” or in Belarus.
The “AWD-20-971-JA04Q7.doc” attachment of the “Рuгсhasе Огdег #AWD-20-971-JA04Q7” email, exploiting a vulnerability, contacts a link and downloads an exe: the malware.