Cory DoctorowAug 11, 2023
Well this is fucking clever - hide a malicious powershell script inside a license file, assuming (correctly) that no one EVER looks inside a license file. #DEFCON31 (from Andrew Brandt' War Stories presentation)
Show threadLou Zell
@pluralistic Would the powershell scripts automatically execute when the license was opened? How would the base64 be decoded and run on open?
Aug 11, 2023 at 8:09pmWeb
Show threadCory DoctorowAug 11, 2023
@louzell it was one stage in a multi part attack against defense contractors in several countries. It got called from another script. https://news.sophos.com/en-us/2023/08/10/image-spam-attack/
Attacker combines phone, email lures into believable, complex attack chain

A social engineering phone call lends authenticity to the attacker’s malicious email

Sophos News
Show threadLou ZellAug 11, 2023
@pluralistic This is wild, thanks for sharing!