It looks like a normal resume, but the infection begins the moment it is opened.
ID: 60d591cb-2713-5be9-989e-66a4292608a3
STIX ID: report--60d591cb-2713-5be9-989e-66a4292608a3
Feed Name: ASEC
Malicious LNK files disguised as resume documents open a legitimate-looking decoy while executing embedded scripts that create batch/PowerShell/VBScript files under C:\Users\Public, register a scheduled task named “office365”, download and decrypt payloads (ProximityUxHost.exe, ProximityCommon.DLL, settings.dat, MicrosoftBing.LNK), establish persistence via Startup, and use DLL side-loading to execute the Xctdoor backdoor; the report includes file/path IOAs and a response guide to remove tasks and suspicious files.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
