Cisco Talos has observed an unknown threat actor conducting a phishing campaign targeting Facebook business and advertising account users in Taiwan. The decoy email and fake PDF filenames are designed to impersonate a company's legal department, attempting to lure the victim into downloading and executing malware. This campaign abuses Google's Appspot[.]com domains, a short URL and Dropbox service, to deliver an information stealer onto the target's machine to avoid network security product detections. Talos also observed the threat actor using multiple techniques to evade antivirus detection and sandbox analysis, such as code obfuscation, shellcode encryption, hiding malicious code in resource data to expand the file size to over 700 MB, and embedding LummaC2 or Rhadamanthys information stealers into legitimate binaries. Phishing email campaign targets Taiwan Talos observed an unknown threat actor conducting a malicious phishing campaign targeting victims in Taiwan since at least July 2024. The campaign specifically targets victims whose Facebook accounts are used for business or advertising purposes. The initial vector of the campaign is a phishing email containing a malware download link. The phishing email uses traditional Chinese in decoy templates and the fake PDF files, suggesting the target is likely traditional Chinese speakers. Some of the fake PDF filenames that we observed during our analysis are: IMAGE COPYRIGHTED.exe [Redacted] 的影片內容遭到侵犯版權.exe (translates…Read More