The two links in the message download a zip with an xls inside, which contacts three URLs from which the dll is downloaded, starting the malware infection.
The lure is a fake email on an email closure. It contains a link to update the account via a login page. Also this one is false. The only aim is to steal credentials.
Cyber security experts: to maximize the spread of phishing and malspam campaigns, messages are translated without checking in multiple languages. Victims have a weapon to detect fraud.
Yoroi-Cybaze ZLab cyber security experts: The malware works as an encryptor and a decryptor. It abuses Clearnet-to-Tor proxy services to connect to its C2, hidden behind onion sites.