EXECUTIVE SUMMARY
A loosely attributed financially motivated group is behind the latest "Evil MSI Background" campaign. The threat takes the form of a multi‐stage malware chain delivered through phishing emails that embed a WeTransfer link to a JavaScript payload. Primary targets include enterprises that rely on Windows workstations, with activity observed across Europe and North America. The actor's objective appears to be establishing persistent code execution and laterally moving to exfiltrate or encrypt data. By disguising malicious files as innocuous JPEG backgrounds, the campaign seeks to evade casual inspection.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A loosely attributed financially motivated group is behind the latest "Evil MSI Background" campaign. The threat takes the form of a multi‐stage malware chain delivered through phishing emails that embed a WeTransfer link to a JavaScript payload. Primary targets include enterprises that rely on Windows workstations, with activity observed across Europe and North America. The actor's objective appears to be establishing persistent code execution and laterally moving to exfiltrate or encrypt data. By disguising malicious files as innocuous JPEG backgrounds, the campaign seeks to evade casual inspection.[emaillocker id="1283"]
The infection begins when a recipient clicks the WeTransfer link and downloads a file named "Remittance Advice.js". Inside, the script populates an environment variable with a ROT13‐obfuscated string that expands to a hidden PowerShell command. That command is launched via WMI, using a silent process startup to avoid user interaction. Once executed, the PowerShell stage retrieves a JPEG hosted on a Cloudflare workers subdomain, which contains a Base64‐encoded .NET DLL. The DLL loads a modified Task Scheduler library, creates a new scheduled task, and then pulls a second payload from a Cloudflare R2 bucket, potentially hidden within another image.
Organizations should care because the campaign blends legitimate cloud services with native Windows mechanisms, making the malicious activity blend into normal traffic. Detection is hampered by the use of environment variables, ROT13 encoding, and WMI‐based execution, which often bypasses traditional endpoint signatures. Recovery can be prolonged if the hidden scheduled task persists after initial remediation. Defensive steps include tightening email filtering to block suspicious WeTransfer links, enforcing strict PowerShell and WMI logging, monitoring for unexpected scheduled‐task creation, and restricting outbound connections to unknown cloud endpoints. Regular backups and a tested incident‐response plan remain essential to limit impact.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1047 | Windows Management Instrumentation | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1027.005 | Obfuscated Files or Information | Indicator Removal from Tools |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
The reports contain further technical details:
https://hxxps://pub-a06eb79f0ebe4a6999bcc71a2227d8e3[.]r2[.]dev/snake.png