The threat group conducted a recent spear-phishing campaign that uses Pegasus spyware-related lures to trick victims into opening malicious files.

Dark Reading Staff, Dark Reading

August 18, 2021

1 Min Read

Researchers have observed the Confucius threat group conducting a recent spear-phishing campaign in which attackers used lures related to Pegasus spyware to target Pakistani military.

The campaign was detected during a broader investigation of the Confucius threat actor, report Trend Micro researchers who found it. In the first phase of the two-step attack, an email is sent without a malicious payload containing content copied from a legitimate Pakistani newspaper article. The spoofed sender address mimics the PR department of the Pakistani Armed Forces.

Two days later, a second email arrives disguised as a warning from the Pakistani military about the Pegasus spyware. This email contains a link to a malicious encrypted Word document; the decryption password will be sent to the victim. The sender address spoofs a service similar to the one in the first email.

If the target clicks the malicious document link or the "unsubscribe" link, the Word document is  downloaded and a document containing macros displays on the screen after the password is entered. If macros are enabled, malicious code will be noted, researchers explain.

The final payload is a .NET DLL file designed to steal documents and images, and it checks the Documents, Downloads, Desktop, and Pictures folder for every user.

Read the full blog post for more information.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights