Phishing emails are received by victims which have subject lines reading, “DHL Please receive your package,” “DHL Express Shipping Info,” “DHL shipping notification” and “Update Information Delivery DHL.” Within the emails is a compressed archive containing executable scripts. Once the archive has been opened by the unsuspecting user, the AZORult variant downloads and runs accordingly. Once it begins, the variant can steal accounts and other credentials from the victim’s web browser. Two servers are contacted, googodsgld[.]com and driverconnectsearch[.]info in request of other commands. This is a resemblance of Brushloader threats which is a dropper/loader written is VBScript. At this time, the variant has only been seen targeting Italian organizations and networks.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in