Procurement Quote Request Phishing Attachment Delivering Infostealer

On 13 April 2026 procurement employees received spear-phishing emails with an attachment (RFQ_April_Products.xls) that instructed recipients to enable editing; doing so executed code which downloaded a payload to C:\Users\Public\rfq_updater.exe. The malware harvested browser credentials and attempted to access cryptocurrency wallet extensions, exfiltrating data to collector.quote-sync.com; observed indicators include sender sales@industrial-quotehub.com, the attachment name, dropped file path and SHA1 7a42fdcb9a6c930ad76c2acfd3cb97f4f9fca12e.