Researchers discovered a unique reflective loader attack. The email, possibly part of a malspam campaign, is delivered to the potential victim’s inbox with a malicious attachment. When the victim opens the attachment, the VBS code connects to a remote website to retrieve an archive file, encountering a number of 302 redirects along the way. The ZIP archive is hosted on OneDrive and contains another VBS file. This second VBS file is extracted by the original and saved to disk. It then creates three registry blobs as well as creating a scheduled task to run the downloaded code at some point in the future. When the scheduled task runs, the VBS file launches PowerShell, writes output to the system clipboard, then pastes that clipboard content as commands into the PowerShell window. This write and then paste using the clipboard may be an attempt to evade security products by not invoking PowerShell with a suspicious command line. The PowerShell window retrieves a .NET decoder executable from one of the registry blobs and injects it into a system process. This code then retrieves the other two blobs and injects them as well. One of the two blobs retrieved from the registry is the payload MoDi RAT.