SKYWATCH^SM ALERTS

Downloading and opening the malicious ZIP archive launched a series of scripts resulting in the system infected with malicious software including a Cobalt Strike beacon.

Opening the attachment resulted in VBScript code creating a scheduled task for persistence and a PowerShell script downloading the DolphinCape information stealer.

Multiple legitimate Microsoft Windows utilities were used to carry out the operation including cmd, BITSAdmin, PowerShell, wscript, and curl.

Organizations affected included governments, media outlets, military, suppliers, telecommunication companies, transportation authorities, financial institutions, and many others.

The initial file analyzed arrived as a Mach-o executable that performed discovery routines and writes malicious code to files with a doc extension. 
The malware continues the malicious activity by enabling macros and retrieving additional payloads from decrypted URLS.