Mail Server: mail[.]kakao[.]com — This indicator was mentioned in a report titled "Lumma Stealer targets YouTubers via Spear-phishing Email" (Source: VT community).
Email Sender: David_Batterson [david.adobe@daum[.]net](mailto:david.adobe@daum[.]net) — The sender domain suggests a strategic operation likely targeting cybersecurity professionals (Source: VT community).
Sender's IPs: 220.64.109.101 ([31.220.44.100])
Subject: Re: Adobe partnership discussion
Body: The email solicited a partnership for Adobe targeting content creators. It included a URL pointing to a fake DocuSign page requesting users to download an application with invitation code "ABEC2-OBJ29". This led to downloading an executable named "DocuSign_PackageInstaller.exe" (suspected payload). URL: https[:]//docu.signtools[.]app
DocuSign_PackageInstaller was manually executed on MTS-Contractor-PC2.
Upon execution, the trojanized installer masquerading as legitimate software dropped approximately 62 different .NET and WebView2-related DLLs to a staging folder path. It also dropped a .zip file (netcore, Ionic.Zip) to C:\ProgramData\
DocuSign_PackageInstaller.exe launched msedgewebview2.exe. Timeline evidence indicates bulk extraction from an embedded payload.
Successful outbound communication was observed to 136.243.14.123 on port 443.
The DocuSign_PackageInstaller spawned a child process "index.exe.tmp", which was subsequently renamed to index.exe and executed. Shortly after, the process injected code into Microsoft Edge.
On December 14, 2025, at 19:43:17 UTC and December 15, 2025, at 09:37:12 UTC, inquiry@mydfir.com received two separate malicious emails soliciting a partnership for Adobe, likely targeting content creators. The email body contained a fake DocuSign page requesting users to download an application with invitation code "ABEC2-OBJ29". A trojanized DocuSign_PackageInstaller.exe was executed on MTS-Contractor-PC2, masquerading as a legitimate installer. Within seconds of execution, the binary staged numerous .NET and WebView2-related DLLs into the user's AppData directory, indicating bulk extraction from an embedded payload.