The following is the order of the attack: While starting a chat with a service representative of a gaming website in a client’s persona, the threat actor requests that the person on the other end access a Dropbox-hosted screenshot image. Security Joes stated that the threat actor is “well-aware of the fact that the customer service is human-operated.”
If the victim uses the VBS downloader, the infection results in the release of Houdini, a 2013 remote access trojan that uses VBS as its basis. Though their origins are still unclear, it has been noted that the threat actors speak with customer service representatives in poor form of English. The MalwareHunterTeam previously disclosed certain indications of compromise (IoCs) related to the campaign in October 2022.