New: Threat Exposure Validation Impact Report 2025
Learn More
Join our Summer Webinar Series on Threat Exposure Validation
Register Now
Meet the team at Infosecurity Europe 2025
Book a Meeting

Follina suspected state aligned phishing campaign

June 13, 2022

This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253. The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script from seller-notification[.]live. This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil to 45.77.156[.]179.