VERY IMPORTANT

Juniper Threat Labs identified several malware campaigns that rely on a pastebin-like service for its infection chain. The domain in question is paste.nrecom.net. The attacks usually start as a phishing email and, when a user is tricked into executing the malware, it downloads the succeeding stage of the malware from paste.nrecom.net and loads it into the memory without writing to disk. Although using legitimate web services is not novel, this is the first time that we have seen threat actors use paste.nrecom.net. Among the malware we have identified are AgentTesla, LimeRAT, W3Cryptolocker Ransomware, and Redline Stealer.