Safety researchers at Seqrite Labs have recognized a marketing campaign referred to as Operation IconCat, focusing on Israeli organizations with weaponized paperwork designed to appear like reputable safety instruments.
The assaults started in November 2025 and have compromised a number of corporations throughout data expertise, staffing companies, and software program growth sectors.
The core of this assault depends on a psychological trick: risk actors create faux paperwork that mimic trusted antivirus distributors like Test Level and SentinelOne.
When victims open these disguised recordsdata, they unknowingly obtain dangerous malware hidden behind a well-known model title.
The marketing campaign demonstrates how social engineering mixed with technical sophistication can bypass conventional safety defenses.
Marketing campaign – I (Supply – Seqrite)
Two distinct assault chains make up Operation IconCat. Each use comparable ways however deploy totally different malware variants.
Marketing campaign – II (Supply – Seqrite)
The primary chain focuses on document-based supply utilizing PDF recordsdata, whereas the second makes use of Phrase paperwork with hidden programming code.
Seqrite analysts recognized the malware after the second paragraph by analyzing suspicious file uploads from Israel dated November 16 and 17, 2025.
The primary assault wave entails a PDF file named assist.pdf that presents itself as a Test Level safety scanner handbook.
The doc instructs customers to obtain a software referred to as “Safety Scanner” from Dropbox, protected with the password “cloudstar.” Contained in the file lies detailed directions on learn how to run safety scans, full with authentic-looking screenshots.
This PDF serves because the entry level for deploying PYTRIC, a Python-based malware packaged utilizing PyInstaller expertise.
Regarding capabilities
PYTRIC carries regarding capabilities past typical malware habits. Evaluation reveals it comprises capabilities designed to scan recordsdata throughout all the system, test for administrator privileges, and carry out devastating actions comparable to erasing system knowledge and deleting backups.
The malware communicates by a Telegram bot named Backup2040, permitting attackers to manage contaminated machines remotely. This mix suggests the risk actors intend not simply to steal data, however to destroy it solely.
The second marketing campaign follows the same sample however with a Rust-based implant referred to as RUSTRIC. A spear-phishing electronic mail impersonates L.M. Group, a reputable Israeli human assets firm, utilizing the spoofed area l-m.co.il.
The e-mail attachment comprises a corrupted Phrase doc with hidden macros that extract and execute the ultimate payload.
RUSTRIC demonstrates superior reconnaissance capabilities, checking for the presence of 28 totally different antivirus merchandise, together with Fast Heal, CrowdStrike, and Kaspersky.
As soon as executed by way of Home windows Administration Instrumentation, it runs system instructions to establish the contaminated pc and set up connections to attacker-controlled servers.
Safety groups ought to deal with these campaigns as high-priority threats requiring instant investigation and remediation efforts.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
