logo

It looks like a normal resume, but the infection begins the moment it is opened.

ID: 60d591cb-2713-5be9-989e-66a4292608a3

STIX ID: report--60d591cb-2713-5be9-989e-66a4292608a3

Feed Name: ASEC

Threat Score
75/100

Date Published: 2026-06-16

Date Updated: 2026-06-17

Author: ATCP

...
...

Malicious LNK files disguised as resume documents open a legitimate-looking decoy while executing embedded scripts that create batch/PowerShell/VBScript files under C:\Users\Public, register a scheduled task named “office365”, download and decrypt payloads (ProximityUxHost.exe, ProximityCommon.DLL, settings.dat, MicrosoftBing.LNK), establish persistence via Startup, and use DLL side-loading to execute the Xctdoor backdoor; the report includes file/path IOAs and a response guide to remove tasks and suspicious files.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.