EXECUTIVE SUMMARY
Modern malware campaigns increasingly avoid obvious malicious binaries and instead rely on trusted file formats, native scripting engines, and memory-only execution. Rather than a single payload, attackers now deploy multi-stage execution chains where each component appears benign on its own. This approach complicates detection and response, as traditional controls often fail to correlate activity across stages. The documented campaign illustrates this evolution clearly, using phishing, containerized payloads, and layered scripts to achieve stealthy initial access and execution. By abusing legitimate Windows functionality and decentralized hosting, the attackers minimize static indicators while maximizing delivery reliability and user deception.