A phishing email campaign originating from compromised libero.it email accounts successfully delivered a malicious RAR5 archive containing a trojanized executable disguised as legitimate marketing material. Static analysis confirms the payload functions as a trojan loader, leveraging runtime API resolution and cryptographic routines to evade detection and dynamically load secondary payloads. While no plaintext command-and-control (C2) infrastructure was identified statically, the malware demonstrates behaviors consistent with staged payload execution and post-compromise capability expansion.
This activity represents a confirmed malware delivery attempt with high likelihood of follow-on compromise if executed, requiring immediate containment, IOC enrichment, and user awareness reinforcement.
Sender Accounts
Sender Accounts:
chelsy198013@libero.it, madella197502@libero.it
Mail Infrastructure:
Email processed through oxapps-35-157.iol.local (private IP 10.101.8.203) and relayed via italiaonline.it (213.209.12.17).
Threat Actor:
Likely an opportunistic threat actor abusing compromised legitimate email accounts to conduct phishing and malware distribution.
A phishing email impersonating a business collaboration opportunity delivered a URL leading to a RAR5 archive.
The archive contained a malicious executable disguised as marketing collateral:
Xiaomi_Presentation_Catalog_Advertising_and_Promo_Content.scr
Static malware analysis identifies the file as a trojan/loader capable of decrypting or dynamically loading additional payloads at runtime.
Email sent on
Saturday, 4 October 2025 at 19:20:35 +0200 (UTC: 17:20:37)