Threat actors are now deploying malicious OneNote files to gain initial access on a targets machine. This is done by attaching malicious .vbs (VBScript) files within the OneNote document along with an enticing call to action button.

In this post, I discuss my real-world encounter with the Raspberry Robin worm infection, and how it gained initial access from a malicious USB device. Below is a timeline of events observed on the endpoint from the moment the USB device was mounted to when execution events began.

I discuss my first real-world encounter with the SocGholish drive-by download malware, and then go on to analyse its impact, how it works and how our defenses managed to thwart the second stage of the attack.