The Reveal Platform
Intel Name: Stealth in layers: unmasking the loader used in targeted email campaigns
Date of Scan: December 25, 2025
Impact: Medium
Summary: Our labs are tracking a sophisticated commodity loader used by multiple advanced threat actors. The campaign shows strong regional and sector focus, targeting Manufacturing and Government entities. Affected regions include Italy, Finland, and Saudi Arabia. Attackers use multiple infection vectors, such as weaponized Office files, malicious SVGs, and ZIPs with LNK shortcuts. All delivery methods converge on a single, unified loader enhanced with steganography and trojanized open-source libraries. Disguised as Purchase Order emails, the campaign deploys RATs and infostealers through a four-stage evasion framework.
