Lampion malware reappears in phishing attacks that use WeTransfer

Lampion malware has been spreading in greater numbers recently, with threat actors using WeTransfer as part of their phishing campaigns.

Phishing emails are being sent from compromised company accounts by Lampion operators, urging users to download a “Proof of Payment” document from WeTransfer.

The file sent to the targets is a ZIP archive containing a VBS (Virtual Basic script) file that the victim must run in order for the attack to begin.

The Lampion trojan has been active since at least 2019, primarily targeting Spanish-speaking users. For the first time in 2021,

Lampion was seen abusing cloud services to host malware.

The authors of Lampion are actively attempting to make their malware more difficult to analyse by adding more obfuscation layers and junk code.