Threat actor TA505 has been seen targeting financial sectors with the help of the backdoor MirrorBlast. The malware is delivered via phishing email which contains a malicious link and a weaponized excel document. The malware seem to have very low detection due to its lightweight macro embedded in its Excel files which makes it even harder to detect the malware. The current campaign has made early inroads from September and started to push their targets from South American region to different continents. Recent activity suggests that the campaign has shifted their targets to North America and have been targeting financial sector in that region.