https://jh.live/panther || Close the loop in your security operations center with Panther! You can unify the data pipeline and detection engine in a complete AI SOC platform to scale your team's expertise: https://jh.live/panther

Learn Cybersecurity and more with Just Hacking Training: https://jh.live/training
See what else I'm up to with: https://jh.live/newsletter

ℹ️ Resources:
See what cybersecurity events are happening: https://jh.live/infosecmap
Learn how to code with CodeCrafters: https://jh.live/codecrafters
Host your own VPN with OpenVPN: https://jh.live/openvpn
Get Blue Team Training and SOC Analyst Certifications with CyberDefenders: https://jh.live/cyberdefense

John Hammond

A phishing campaign abused Zoom Docs to deliver a fake IRS tax document lure during tax season. Clicking through led to a spoofed IRS site that downloaded a JScript file instead of a PDF. The malware, likely AI-generated, uses WScript to request admin privileges via UAC, disables Windows SmartScreen via registry edits, then downloads and installs ScreenConnect (ConnectWise) as a remote access trojan with a hardcoded attacker IP. The analysis walkthrough covers deobfuscation using tools like DE4JS, WebCrack, and ChatGPT/AI assistance to rename variables, ultimately revealing a ~360-line JScript stager with an embedded PowerShell script. ScreenConnect accounts for 72% of RMM abuse in 2025 and is frequently used as C2 infrastructure by threat actors.

FAKE Zoom Taxes MALWARE