VERY IMPORTANT

As tensions between Azerbaijan and Armenia continue, Malwarebytes Labs continues to see a number of cyber attacks that take advantage of this situation. On March 5th 2021, Malwarebytes Labs reported an actor that used steganography to drop a new .Net Remote Administration Trojan. Since that time, Malwarebytes Labs has been monitoring this actor and was able to identify new activity where the threat actor switched their RAT from .NET to Python. The initial infection vector starts with a document that targets the government of Azerbaijan using a SOCAR letter template as lure. SOCAR is the name of Azerbaijan’s Republic Oil and Gas Company.