Cryptolaemus cybersecurity experts detect new password-protected ZIP files and shortcuts. The command to create-execute VBS to install the malware works properly.
The zip attachment contains an xls file: This starts a powershell script, which contacts various URLs and downloads the dll, activating the malware infection chain.
Cryptolaemus cybersecurity experts: It is spread via spam emails with a zip, an xls or a doc attachment, which downloads a dll starting the malware infection.
US, South Korean and Ukrainian law enforcements shut down the infrastructure and seized the servers. Egregor, NetWalker and Emotet suffered the same fate.