Activity Targeting Crypto Asset Exchangers for Parallax RAT Infection

JPCERT/CC investigated a February 2023 campaign that delivered Parallax RAT to a crypto-asset exchanger via OneNote files linked from spam emails. The attack chain: Google Drive link → ZIP → OneNote with embedded/obfuscated VBS → PowerShell downloader (Latest.pdf, dx.txt, angle.exe) which disables UAC and Defender exclusions; Parallax RAT achieves persistence (Startup\Milk.exe), injects into pipanel.exe, performs keylogging and clipboard theft, and communicates with C2 (144.202.9.245:80). The report includes related tooling (NetSupport, GuLoader, IRC bot), server URLs and multiple file hashes for IOC hunting.