Fraudulent purchase orders and shipping notifications have been two common recurring themes for distributors of multiple different malware families. This malicious attack, shown below, presented itself as a shipment status notification from TNT Express. TNT is a shipping and logistics company operating in more than two hundred countries and was acquired by FedEx in 2016 but still retains the TNT branding outside the US. It stated shipment paperwork was attached but was a disguised [.]gz file presenting itself as a PDF. Double extensions such as this combination should always be a big red flag. Upon extracting the gzip archive an executable was inside that turned out to be XLoader. XLoader is a stealthy rebranded version of Formbook(info-stealer) offered in licensed subscriptions via the malware-as-a service model. It is cross-platform capable of infecting both Windows and macOS.

Below is an underground forum XLoader ad, published by bleepingcomputer in 2021, when it started to become noticed by security researchers.

Later, observed this same malware variant targeting MacOS users via e.]dmg (MacOS disk image files) posing as an “Office REQ.” The threat actor’s creativity leaves much to be desired but sometimes a simple approach can be effective.

*The i.]dmg file in this example was sanitized by converting it to a text file.