Steal-It Campaign

This report documents an infection chain that lures Belgian users with a spoofed "Windows Update" theme: a malicious LNK delivered in a ZIP opens geofenced JavaScript which drops batch/PowerShell stages, maintains persistence via the Startup folder and CertUtil, and exfiltrates command output and file paths (tasklist, systeminfo, Get-ChildItem) to remote endpoints (mockbin.org/run.mocky.io), with similarities to activity attributed to APT28.