Attacks commenced with the delivery of malicious emails purportedly from the SSU that sought the submission of certain required documents and included hyperlinks to a Documents.zip archive, which when clicked would trigger an MSI file that would facilitate malware installation.
Malvertising exploiting Google search results has been leveraged to lure victims into downloading fraudulent software installers, including YouTube downloader, Roblox FPS Unlocker, and VLC video player.
Intrusions commenced with the delivery of phishing emails with RAR archives deploying a backdoor that facilitated the injection of the APT31-linked GrewApacha trojan, as well as a new version of the CloudSorcerer malware that bypasses detection through VMProtect.
Malicious apps spoofing Alipay or an Android system service have been used to distribute LianSpy, which when executed uses admin privileges to ensure background operation or seeks several permissions to enable extensive device access.
Attackers commenced the operation with the deployment of dropper that could evade protections in Android 13 and newer devices before displaying a fraudulent CRM login page requesting an employee ID, which when performed facilitates the installation of Chameleon.
Such exploitation was evident in a January attack by Kimsuky against a South Korean construction trade entity's website that lured employees into installing trojanized security software with a valid digital certificate.