Researchers have observed the Confucius threat group conducting a recent spear-phishing campaign in which attackers used lures related to Pegasus spyware to target Pakistani military.
The campaign was detected during a broader investigation of the Confucius threat actor, report Trend Micro researchers who found it. In the first phase of the two-step attack, an email is sent without a malicious payload containing content copied from a legitimate Pakistani newspaper article. The spoofed sender address mimics the PR department of the Pakistani Armed Forces.
Two days later, a second email arrives disguised as a warning from the Pakistani military about the Pegasus spyware. This email contains a link to a malicious encrypted Word document; the decryption password will be sent to the victim. The sender address spoofs a service similar to the one in the first email.
If the target clicks the malicious document link or the "unsubscribe" link, the Word document is downloaded and a document containing macros displays on the screen after the password is entered. If macros are enabled, malicious code will be noted, researchers explain.
The final payload is a .NET DLL file designed to steal documents and images, and it checks the Documents, Downloads, Desktop, and Pictures folder for every user.
Read the full blog post for more information.