Then last year, Trustwave SpiderLabs revealed details of another phishing campaign targeting the same region with malicious payloads which it said exhibits similarities with that of Horabot malware.

The latest set of attacks starts with a phishing email that employs invoice-themed lures to entice users into opening a ZIP archive containing a PDF document. However, in reality, the attached ZIP file contains a malicious HTML file with Base64-encoded HTML data that’s designed to reach out to a remote server and download the next-stage payload.