logo

Benefits Enrollment Email Used to Deliver Remote Access Payload

ID: 3f32d696-619f-4600-9786-c73c7dcc3b9c

STIX ID: report--3f32d696-619f-4600-9786-c73c7dcc3b9c

Threat Score

70/100

Uploaded: 2026-04-13

Created by: Report Uploader

TLP:GREEN
...
...
On 7 April 2026 a phishing campaign used a benefits-enrollment lure and an attachment named Benefits_Enrollment_2026.docm; when macros were enabled the document executed PowerShell to download benefits_client.exe from http://159.65.201.14/files/client.bin. The binary installed a service called "Benefits Sync Service" and began beaconing to /api/status; observed IOCs include sender benefits@employee-enrollmentcenter.com, the attachment, download host 159.65.201.14, service name, and the /api/status URI.