Quote:Symantec recently observed one of the largest agri-food exporters in Serbia being spoofed by a threat actor to target various organizations in the country. The malicious emails, written in Serbian (subject: Састанак за заказивање), have been crafted to appear as an invitation to set up a business appointment.

Attached to the email is a malicious .Z archive (Писмо састанка о именовању docx.z) – utilizing the Lempel-Ziv-Welch (LZW) compression algorithm. While this algorithm was commonly used in the past, it has been largely replaced by more efficient compression formats like .zip, .gzip, and .tar.gz. Nonetheless, Symantec continues to observe this type of archive being used by certain groups and individuals.

If users are successfully lured by this social engineering tactic and execute the malicious binary (Писмо састанка о именовању.docx.exe) within the archive, they'll end up running a NullSoft script-driven installer that will deploy a loader and an encrypted payload – Agent Tesla.