incident
MULTI#STORM Campaign Uses Python Loader Masquerading as OneDrive to Drop Multiple RATsMULTI#STORM
Securonix Threat Labs identified the MULTI#STORM attack campaign delivering Warzone RAT and Quasar RAT via phishing emails. The attack begins with a password-protected ZIP containing an obfuscated JavaScript file that downloads and executes a Python-based loader from OneDrive. The loader establishes persistence and drops multiple RAT payloads, targeting victims in the US and India.