Cybercrime, fake HSBC payment advice spreads Formbook
The gz attachment of the “Payment Advice - Ref: [HSBC1057029141] /RFQ Priority Payment / Customer Ref: [PI10771QT90]” email contains an exe file: the malware.
Cybercrime, purchase order from Spain bait for AgentTesla
The fake pdf attached to the "PURCHASE ORDER 05-30-2023" email contains a link, from which you download a tgz file with a TAR, inside which there is an exe: the malware.
Cybercrime, Blustealer campaign from Lithuania simulating China
The compressed attachment of the “Order_list_30052023” message contains an exe file: the malware. Stolen data is exfiltrated via Telegram API.
Cybercrime, phishing campaign via Dropbox with mysterious file
The bait is two documents in storage. The attachment is recognized as clean by sandboxes, but it disables the Windows firewall.
Cybercrime, new email about an RFQ conveyed by Remcos via Modiloader
The compressed attachment contains an exe file: the loader, which contacts a url and downloads the final malware.
Cybercrime, the “Re: Our Ref: MSS Urgent Order” email bait for AgentTesla
The compressed attachment contains an exe file: the malware. Stolen data is exfiltrated via Telegram API.
Cybercrime, “Re: Purchase Order ….>,” bait for HawkEye from South Korea
The compressed attachment contains an exe file: the malware. The stolen data is exfiltrated via FTP to a host in Russia.
Cybercrime, “Nieuwe bestelling 20230517/4500338579” bait for AgentTesla
The attachment contains a Tar file with an exe: the malware. Stolen data is exfiltrated via Telegram API to the same “Nieuwe bestelling–100 STUKS ELK” campaign C2.
Cybercrime, “Purchase Order – PO.No.660240685” carries STRRAT via RATDispenser
The compressed attachment contains a JS, which runs the loader. The latter, however, installs the final malware.
Cybercrime, false invoice request from UK is the bait for BluStealer
The compressed attachment of the “Order-Urgent” email contains an exe file – the malware. The stolen data is exfiltrated via Telegram API.