A SANS ISC diary reports a phishing email delivering obfuscated JavaScript via a RAR archive, containing a file named cbmjlzan[.]JS (SHA256:a8ba9ba93b4509a86e3d7dd40fd0652c2743e32277760c5f7942b788b74c5285) that is deemed malicious by 15 AV engines on VirusTotal. The 10‑MB script is Windows‑flavoured JavaScript using ActiveXObject, Microsoft[.]XMLDOM and ADODB[.]Stream, and it self‑copies to a public path while creating a scheduled task for persistence.
It drops three files in C:\Users\Public—Brio[.]png, Orio[.]png and Xrio[.]png—used by a PowerShell stage that decrypts embedded data and executes further code. The PowerShell decrypts data from Xrio[.]png with AES CBC and PKCS7, then decrypts Orio[.]png to extract a PE file (SHA256:53c3e0f8627917e8972a627b9e68adf9c21966428a85cb1c28f47cb21db3c12b), a .Net DLL subsequently injected into MSBuild[.]exe to run a Formbook payload.
The diary notes techniques to evading detection, including patching EtwEventWrite and AmsiScanBuffer, and provides multiple source links alongside a published date of 9 April 2026 and a last update on 10 April 2026 06:40:46 UTC.