EXECUTIVE SUMMARY:
This phishing campaign is attributed to a known advanced threat group that focuses on financial executives, particularly CFOs. The attack starts with phishing emails that pretend to come from trusted recruiters. The messages lead victims to fake login pages hosted on cloud services. To make them seem legitimate, these sites include custom math-based challenges and hidden encryption steps that unlock the real malicious content. Once the victim engages, they are presented with a file that appears harmless but contains a script. Running this script silently installs tools like remote access software, enables hidden user accounts, and ensures that the attacker maintains control over the compromised system. The introduction highlights the highly targeted nature of this campaign and the attacker’s reliance on social engineering and legitimate software to bypass defenses.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
This phishing campaign is attributed to a known advanced threat group that focuses on financial executives, particularly CFOs. The attack starts with phishing emails that pretend to come from trusted recruiters. The messages lead victims to fake login pages hosted on cloud services. To make them seem legitimate, these sites include custom math-based challenges and hidden encryption steps that unlock the real malicious content. Once the victim engages, they are presented with a file that appears harmless but contains a script. Running this script silently installs tools like remote access software, enables hidden user accounts, and ensures that the attacker maintains control over the compromised system. The introduction highlights the highly targeted nature of this campaign and the attacker’s reliance on social engineering and legitimate software to bypass defenses.[emaillocker id="1283"]
Researchers found that the phishing infrastructure was carefully designed with multiple layers of evasion. The malicious pages used scripted challenges and encryption keys to hide the next stage until interaction occurred. This allowed the attacker to avoid simple detection methods. The files delivered included a script that, once executed, downloaded additional payloads. These installed remote networking software, created persistent services, and opened backdoors for long-term access. The script also modified system settings by adding hidden administrator accounts, enabling remote desktop, and removing traces from the desktop environment. Investigators linked this activity to similar past campaigns that used nearly identical coding styles, encryption methods, and payload delivery mechanisms. The overlap in tactics and tool usage makes it clear that the same actor continues to refine its approach while keeping its tradecraft consistent enough to be recognizable.
The campaign represents a well-structured, multi-stage phishing operation aimed at high-value financial leaders. By combining realistic lures, layered obfuscation, and abuse of trusted tools, the attackers can maintain persistence without drawing immediate suspicion. The research shows how flexible the infrastructure is, with attackers changing paths, payloads, and hosting services as needed to avoid takedown or detection. Despite these changes, the consistent use of specific remote tools and techniques points back to the same group. Organizations are advised to strengthen phishing defenses, monitor for unusual script activity, restrict the use of remote access software, and detect creation of hidden accounts or unauthorized services. This case underscores how targeted phishing campaigns have grown more advanced, requiring defenders to adapt their detection and response strategies.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1136.001 | Create Account | Local Account |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1078.003 | Valid Accounts | Local Accounts |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Credential Access | T1556.004 | Modify Authentication Process | Network Device Authentication |
| Discovery | T1082 | System Information Discovery | — |
| Lateral Movement | T1021.001 | Remote Services | Remote Desktop Protocol (RDP) |
| Command & Control | T1090.001 | Proxy | Internal Proxy |
| T1105 | Ingress Tool Transfer | — | |
| Impact | T1499 | Endpoint Denial of Service | — |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]