VERY IMPORTANT

An interesting campaign leveraging a new SUBTLE-PAWS PowerShell-based backdoor has been identified targeting Ukraine which follows stealthy tactics to evade detection and spreads by infecting USB drives. The malicious payload is delivered through compressed files, possibly through phishing emails. The exploitation chain involves the target executing a malicious shortcut file which loads and executes a new PowerShell backdoor payload code. While the initial execution is trivial, some complex late-stage execution and persistence methods are used. The backdoor establishes C2 communication, gathers system info, and spreads via USB drives. It uses obfuscation, randomization, and environment awareness for stealth.