Suspected Phishing Campaign Targeting Finance Team with Invoice Lures

On 12 April 2026 a spearphishing campaign targeted a mid-sized manufacturer's finance department with a macro-enabled Excel file (Invoice_April_2026.xlsm) from a spoofed supplier address; enabling macros launched a PowerShell command that downloaded a second-stage payload (http://185.199.110.153/update/office365.bin), which subsequently connected to a C2 (45.77.12.44), established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OfficeSync, and was assessed as financially motivated to steal credentials and deploy additional malware (SHA256: 8c4a9d7d0b2e31f10ff4f6c1cb6af8d8b74ec9a320f8a3fb2f74396b8d92fa11).