tldr - powered by Generative AI

• Threat actors overwhelm users with spam emails and phone calls, offering assistance to download remote monitoring software.
• Emails appear as newsletter sign-up confirmations to bypass email protection solutions.
• Impersonating as IT team, threat actors trick users into installing remote desktop software to resolve email issues.
• Remote access is used to download additional payloads for credential harvesting and persistence on hosts.
• Campaign observed attempting to deploy Cobalt Strike beacons within compromised networks.
• Attack chain delivers remote monitoring tools like ConnectWise ScreenConnect and NetSupport RAT, associated with FIN7 actors.
• Phorpiex botnet used to distribute LockBit Black ransomware in a high-volume campaign.
• Mallox ransomware group brute-forces Microsoft SQL servers to deploy Mallox file-encrypting malware via PureCrypter loader.