logo

Beware of Phishing Emails Disguised as Money Transfer Confirmations

ID: 59a0cc8d-b602-5167-b2ce-a7c0f97e3bf5

STIX ID: report--59a0cc8d-b602-5167-b2ce-a7c0f97e3bf5

Feed Name: ASEC

Threat Score
70/100

Date Published: 2026-07-09

Date Updated: 2026-07-13

Author: ATCP

...
...

AhnLab ASEC identified a phishing campaign impersonating employees that delivers a malicious XLS exploiting CVE-2017-0199 (OLE2Link) to download an HTA which launches an obfuscated PowerShell script; the script fetches a steganographically embedded PNG containing a Base64 .NET loader that then downloads and executes the Remcos RAT. The report provides C2 URLs, multiple MD5 hashes, screenshots, and user guidance to verify senders, inspect links/attachments, and avoid entering credentials on suspicious pages.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.