An unknown threat actor is utilizing the PureCrypter malware downloader to infect government organizations with information stealers and various ransomware strains, according to researchers at Menlo Security.

According to the researchers, the observed PureCrypter campaign has targeted multiple government organizations in North America and the Asia-Pacific regions. The threat actor is exploiting Discord to host the initial payload and also compromised a non-profit organization to store additional hosts used in the campaign. “The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware,” the researchers note. The attack chain begins with an email that leads to a PureCrypter sample in a password-protected ZIP archive. When executed, PureCrypter (in this oberseved attack) downloads AgentTesla backdoor malware that allows attackers to conduct further malicious activity on the compromised device or network. Access the full report at Menlo Security here or read a related article at BleepingComputer.