A FedEx-themed phishing email delivers a malware payload in an attached archive named fedex_shipping_document.7z, which contains a Windows script (.bat) also titled fedex_shipping_document.7z and whose SHA256 is a02d54db4ecd6a02f886b522ee78221406aa9a50b92d30b06efb86b9a15781f5.
The script uses a Run key for persistence and introduces environment variables with a non-standard approach, including a variable named !contract and the path %APPDATA%\\Rail\\EXPRESSIO[.]cmd, activated via setlocal enableDelayedExpansion to defeat simple searches for %..%.
A PowerShell payload within the script is Base64-encoded, decoded using a regular expression, and then piped to another PowerShell instance, followed by the decrypted data which yields a shellcode that is injected into the explorer process and starts a new thread. The shellcode connects to the C2 server at 204.10.160[.]190:7003 and activity is described as typical of DonutLoader, with the threat actor’s method involving delayed expansion and anti-sandboxing elements.
The diary notes this as a real-world example of a phishing delivery that combines credential-reaping, PowerShell staging, and shellcode execution to establish a backdoor activity commonly linked to XWorm-style behaviour.