Secure Fax Notification Delivering LNK-Based Malware Loader

A phishing campaign on 8 April 2026 targeted administrative staff with fake "secure fax" notifications; an attached Fax_Reference_8842.zip contained Fax_Document.pdf.lnk which executed a hidden PowerShell command to download a payload from http://167.71.22.199/load/a.dat and created a scheduled task named FaxReviewTask. Observed IOCs include the ZIP attachment (Fax_Reference_8842.zip), LNK file (Fax_Document.pdf.lnk), the download URL, and the scheduled task name. The lure leveraged a familiar office workflow to induce execution of the malicious LNK.