Don’t trust ‘secure mail’! malicious Files Impersonating Credit Card Companies Are Being Distributed

**Executive summary:** AhnLab observed a phishing campaign impersonating a Korean credit card company that delivers LNK files which invoke mshta to run obfuscated VBScript and fetch decoy documents and multi-stage malware; the payload adapts its execution based on whether Windows Defender is running, downloading and decrypting different components (pipe.zip => 1.log/1.ps1/2.log for backdoor/infosteal/keylogging, or user.txt/sys.log => sys.dll and additional droppers) to perform credential and cookie theft, keylogging, clipboard theft, remote command execution, and downloader activity; recommended mitigations include checking registries and deleting suspicious files in %TEMP% and %LOCALAPPDATA%.