The bait are false invoice offsets. The xls attachment contacts single link from which it downloads the dll, starting the malware infection. But only from Italian IPs.
The operation, coordinated by Europol and Eurojust, led to 106 arrests. The suspects defrauded hundreds of victims through phishing attacks, SIM swapping and BEC.
The xls attachment contacts a single link and downloads the dll, which activates the malware infection. Provided that the IP is Italian and not on the blacklist.
The xlsm attachment contacts a single url from which it downloads the dll, starting the malware infection. But only from Italian IPs and if they’re not blacklisted.