I am seeing changes to the password protected word docs campaign we have been seeing for ages. I am not sure what malware payload we are getting today. It looks different to all the usual previous ones. Last week they changed from Nymaim to IceD. They frequently use some sort of ransomware. But This looks different again today. I am pretty sure it is IceD ( BOKBot) from the naming convention of the C2 URL, using .PW domains. However this is not a well known url to AV companies Normally the subjects are either Invoices or resumes / Job applications. … Continue reading →