The Windows executable contained malevolent code with the authentic files from a legitimate stock investment application program. ESTsecurity researchers demonstrated two manners by which the assailants influence the "XSL Script Processing" method. Inside the authentic installer of the stock investment platform, aggressors infused explicit orders that got a malignant XSL content from a maverick FTP server and executed it on Windows systems employing the in-built wmic.exe utility. 

The subsequent installer, repackaged with Nullsoft's NSIS, would give off the impression as though the client was installing the genuine stock investment application while discreetly sliding the malicious contents out of sight. The following phase of assault executes a VBScript to make documents and folders named 'OracleCache', 'PackageUninstall', and 'USODrive' among others in the %ProgramData% index. The payload at that point interfaces with the command-and-control (C2) server facilitated on frog.smtper[.]co to get extra commands. By making a maverick scheduled task called activate under a deceptive directory 'Office 365__\Windows\Office', the malware accomplishes continuity by instructing Windows Scheduler to run the dropped code every 15 minutes. These criminals observe the tainted system and after an initial screening, deployed a Remote Access Trojan (RAT) on the machine.

ESTsecurity researchers additionally noticed Microsoft Office documents, for example, Excel spreadsheets that contained macros were disturbing the previously mentioned XSL script payload. "ESRC is focusing on the way that the Thallium association is utilizing the 'XSL Script Processing' method not just in spear-phishing assaults dependent on noxious documents, yet besides for niche assaults including supply chain assaults," experts at ESTsecurity further said.