A recent spear-phishing attempt that uses Pegasus spyware-related baits to persuade users to open a malicious document and download a file stealer. The NSO Group’s spyware spurred a collaborative investigation that found that it was being used to target high-ranking individuals in 11 different countries, which have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.
A two-step attack is used in the campaign. During the first phase, the recipient receives an email without a malicious payload that contains material plagiarised from a valid Pakistani newspaper article. The spoof sender address impersonates the Pakistani Armed Forces’ Public Relations Department. (firstname.lastname@example.org).
A second email will be sent to the target two days later, purporting to be a warning from the Pakistani military about the Pegasus spyware and including a cutt.ly link to a harmful encrypted Word document as well as the password for decryption. The sender address is a spoof of the first email’s sender address. (email@example.com).