In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads
In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads
And it’s not the image that’s the attack vector, it’s still a vbscript in an excel document that download the image as its malware payload, decodes the malware and executes it.