Security researchers at Seqrite Labs have identified a campaign called Operation IconCat, targeting Israeli organizations with weaponized documents designed to look like legitimate security tools.
The attacks began in November 2025 and have compromised multiple companies across information technology, staffing services, and software development sectors.
The core of this attack relies on a psychological trick: threat actors create fake documents that mimic trusted antivirus vendors like Check Point and SentinelOne.
When victims open these disguised files, they unknowingly download harmful malware hidden behind a familiar brand name.
The campaign demonstrates how social engineering combined with technical sophistication can bypass traditional security defenses.
.webp "Threat Actors Using Weaponized AV-themed Word and PDF Documents to Attack Israeli Organizations 2")
Two distinct attack chains make up Operation IconCat. Both use similar tactics but deploy different malware variants.
.webp "Threat Actors Using Weaponized AV-themed Word and PDF Documents to Attack Israeli Organizations 4")
The first chain focuses on document-based delivery using PDF files, while the second uses Word documents with hidden programming code.
Seqrite analysts identified the malware after the second paragraph by analyzing suspicious file uploads from Israel dated November 16 and 17, 2025.
The first attack wave involves a PDF file named help.pdf that presents itself as a Check Point security scanner manual.
The document instructs users to download a tool called “Security Scanner” from Dropbox, protected with the password “cloudstar.” Inside the file lies detailed instructions on how to run security scans, complete with authentic-looking screenshots.
This PDF serves as the entry point for deploying PYTRIC, a Python-based malware packaged using PyInstaller technology.
Concerning capabilities
PYTRIC carries concerning capabilities beyond typical malware behavior. Analysis reveals it contains functions designed to scan files across the entire system, check for administrator privileges, and perform devastating actions such as erasing system data and deleting backups.
The malware communicates through a Telegram bot named Backup2040, allowing attackers to control infected machines remotely. This combination suggests the threat actors intend not just to steal information, but to destroy it entirely.
The second campaign follows a similar pattern but with a Rust-based implant called RUSTRIC. A spear-phishing email impersonates L.M. Group, a legitimate Israeli human resources company, using the spoofed domain l-m.co.il.
The email attachment contains a corrupted Word document with hidden macros that extract and execute the final payload.
RUSTRIC demonstrates advanced reconnaissance capabilities, checking for the presence of 28 different antivirus products, including Quick Heal, CrowdStrike, and Kaspersky.
Once executed via Windows Management Instrumentation, it runs system commands to identify the infected computer and establish connections to attacker-controlled servers.
Security teams should treat these campaigns as high-priority threats requiring immediate investigation and remediation efforts.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
