Proofpoint, the cybersecurity company credited with naming the tactic, had reported in June that the tactic is being increasingly used by threat actors, including the initial access broker TA571, to deliver malware like DarkGate, Matanbuchus, NetSupport, and various information stealers.
Faking Google Meet Conference errors
In the instances observed by Sekoia, threat actors were found using websites masquerading as the homepage of a Google Meet video conference. The sites displayed pop-up windows falsely indicating problems with the microphone and headset, Sekoia added.
The pop-up windows planted by the miscreants prompted users to fix the problems by pressing a combination of keys which ultimately resulted in the victims copying and pasting the malware code and running it on the command prompt.