Recent attacks on European organizations

Deceptive Bytes’ research team detected in recent days a wave of attacks on European organizations, while the attacks are not that sophisticated, they employ social engineering to make users run a WSF script file from a zip file that would compromise the system and download a second stage payload using a PowerShell script running via a shortcut file, to mask the origin of the execution.

An example of a WSF payload

As seen, the shortcut’s target executable is PowerShell (in red) which is used to download the second payload, the URL (in orange) is written in reverse as the script uses VBScript’s StrReverse function (in blue) to reverse the payload, then it uses the saved shortcut to call the payload.

How Deceptive Bytes prevents such attacks

Deceptive Bytes’ platform blocks all unapproved scripts, reducing the attack surface on computers and servers in the enterprise.

Here’s a screenshot from one of our customers


SHA2-256 hashes (fiscale.wsf)




Compromised URLs




We suggest informing employees of these types of attacks & the way attackers engineer their emails to make users open such files. This would help reduce possible infection to unprotected environments.

Share via:


Request a free trial or send us a message

Let's get in touch

Request a demo or send us a message