
In June 2026, we analysed a malware campaign distributed through Italian-language phishing emails. The message pretended to deliver an invoice and used the subject Fattura #2818999851.
The victim was shown what looked like a PDF document. The downloaded file was instead an obfuscated Windows JavaScript file named Fattura-2819889242.pfd.js. The unusual pfd.js ending was likely intended to look similar to .pdf at a quick glance.
The most interesting part of this infection was not the initial JavaScript. The malware installed a malicious Google Chrome extension and paired it with a Native Messaging Host. This combination allowed code running inside Chrome to request PowerShell commands on the Windows system.
An extension normally cannot start local programs. Native Messaging changed that security boundary.
Continua a leggere




















