EXECUTIVE SUMMARY
The campaign appears to be orchestrated by a financially motivated cybercrime group that specializes in malspam distribution. Delivery occurs through a malicious spam email that carries a deceptive HTML attachment, which in turn redirects victims through a reputable advertising domain before presenting a personalized lure page. Targets include mid‐size enterprises in finance, professional services, and manufacturing across North America and Europe. The actor's primary objective is to gain persistent remote access for data exfiltration and potential ransom demand, while keeping the infection footprint minimal.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign appears to be orchestrated by a financially motivated cybercrime group that specializes in malspam distribution. Delivery occurs through a malicious spam email that carries a deceptive HTML attachment, which in turn redirects victims through a reputable advertising domain before presenting a personalized lure page. Targets include mid‐size enterprises in finance, professional services, and manufacturing across North America and Europe. The actor's primary objective is to gain persistent remote access for data exfiltration and potential ransom demand, while keeping the infection footprint minimal.[emaillocker id="1283"]
The infection chain starts when a user opens the HTML attachment, which immediately issues a meta‐refresh that sends the browser to a tracking URL. From there a lightweight kit generates a page that mimics the victim's organization, then delivers a compressed archive containing a script loader. The loader runs a series of obfuscated scripts, first invoking a native Windows scripting component, then launching a hidden execution routine that downloads a .NET payload. The payload is reflected into memory and injected into trusted system utilities, establishing persistence, disabling telemetry, and opening a low‐profile command channel for the attacker.
The threat is significant because it avoids writing files to disk and blends into legitimate processes, making it hard for traditional antivirus and endpoint logs to flag the activity. Its use of dynamic branding and rapid C2 host rotation further complicates network detection. Organizations should enforce strict email filtering, enable sandboxing of attachments, and block script execution from user‐writable locations. Deploying a policy that forces script files to open as plain text, monitoring for unexpected script host launches, and maintaining up‐to‐date patches on Windows components reduce exposure. Regular backups and an incident response plan ensure rapid recovery if compromise occurs.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1027.001 | Obfuscated Files or Information | Binary Padding |
| Defense Evasion | T1218.004 | System Binary Proxy Execution | InstallUtil |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Discovery | T1518.001 | Software Discovery | Security Software Discovery |
| Command and Control | T1568.001 | Dynamic Resolution | Fast Flux DNS |
REFERENCES:
reports contain further technical details:
https://www.huntress.com/blog/malspam-to-deskcvb-rat-delivery-chain-analysis