Payroll Review Phishing Campaign Targeting Human Resources Staff

On 12 April 2026, HR personnel at a consulting firm received payroll-themed phishing emails containing a macro-enabled Excel (Payroll_Adjustment_April.xlsm) which, when macros were enabled, invoked PowerShell to download an executable from http://194.28.90.201/static/payroll.dat, established persistence via HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PayrollAgent, and contacted a remote host at 45.66.230.18 over TCP 443; observed IoCs include sender hr-team@employeeportal-notice.com, the attachment name, the URL and IPs, and file MD5 6dcb87c08f3e2eb8e9cf15d315f3c242.