The chain of attacks begins with distributing macro-containing Microsoft Word documents that appear to be related to the European Union General Data Protection Regulation (GDPR) to targets via targeted phishing e-mails. When targets activate the macros, a seemingly harmless image file hosted on a remote server is downloaded. However, the image file in question contains a Base64 encoded PowerShell script hidden using steganography. This PowerShell script is responsible for installing Chocolatey, the Python package manager Pip, and the PySocks proxy library on the Windows machine. The same PowerShell script is downloading another image file from the same remote server containing the Serpent backdoor, which comes with the capabilities to execute commands transmitted from the C2 server.
In addition to steganography methods, the distribution of widely used original package managers has also been observed to be an attempt to avoid detection. The campaign has not yet been associated with a known threat actor but is believed to have been carried out by a sophisticated cyber threat group. In this context, it is recommended not to respect spam e-mail attachments and links from unknown sides, raise awareness of institution/organization personnel against possible advanced phishing attacks, and use reliable anti-virus / anti-malware solutions. In addition, it is recommended to prevent the IoC findings related to the campaign from the security solutions used.