According to the source, a previously unknown threat actor has emerged, targeting organizations in Pakistan through a sophisticated payload delivery method. The attacker capitalized on an international naval conference to deceive potential victims.
The attacker initiated their campaign by sending targeted phishing emails containing a weaponized document masquerading as an exhibitor manual for the conference. This document employed a remote template injection technique and embedded malicious Visual Basic for Applications (VBA) macro code to execute the next stage of the attack, ultimately leading to the final payload.
The final payload was an advanced espionage tool encrypted using XOR encryption with a unique "penguin" encryption key. Notably, the content-disposition response header name parameter is set to "getlatestnews" during the HTTP response. Consequently, this threat actor has been named NewsPenguin.