Security researchers in South Korea are warning of two active phishing campaigns targeting Korean companies with commodity malware, using fake payment confirmations and project proposals to trick staff into infecting their own machines.
The AhnLab Security Intelligence Center (ASEC) documented both waves. One delivers the Remcos remote access trojan, which hands attackers full control of a PC; the other drops Snake Keylogger, an infostealer that harvests passwords and keystrokes. Both impersonate routine business correspondence to lower the recipient's guard.
The payment-confirmation lure
In the first campaign, emails posing as payment confirmation notices from a Korean company carry a malicious Excel file. Opening it displays a convincing decoy slip, but the document quietly exploits CVE-2017-0199, a remote code execution flaw in how Microsoft Office handles embedded OLE objects. That reaches out to a server and pulls down an HTA file, which runs an obfuscated PowerShell script. In a notable twist, the script downloads a PNG image with a .NET loader hidden inside it using steganography, decodes it in memory, and launches Remcos. The trojan then logs keystrokes, captures the screen and exfiltrates files to its operator.
The project-proposal lure
The second wave arrives as a compressed archive said to contain a business proposal. Inside is JavaScript malware that runs PowerShell to decrypt and execute Snake Keylogger entirely in memory, never writing the payload to disk. The stealer then ships browser data, system details and captured keystrokes back out over SMTP email and Telegram.
Why it matters
Neither tool is new, but both campaigns lean on fileless, living-off-the-land techniques that slip past basic defences, and the first still succeeds using a Microsoft Office bug that was patched back in 2017. That points to unpatched Office installs and weak attachment handling as the real exposure. The pattern echoes other regional phishing operations such as the shortcut-file lures aimed at South Korea and the steady stream of remote-access trojan campaigns IntelFusions tracks.
What to do
Verify sender domains before opening attachments, be wary of Office files and archives from unexpected business emails, and make sure Microsoft Office is fully patched so CVE-2017-0199 can no longer fire. Blocking or closely monitoring script hosts such as .hta and .js execution will also blunt both chains.
Indicators (defanged)
Remcos chain: HTA host hxxp://144[.]172[.]104[.]196/35/, steganographic PNG at blue-paper-f69f[.]acrypters[.]workers[.]dev, and Remcos C2 at guhudeolokghguhumandeylikebroemdfhhfhsjj[.]duckdns[.]org:4087. Snake Keylogger exfiltration: SMTP server mail[.]trimnt[.]com sending to keishstanford5[at]gmail[.]com.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.