Beware of Phishing Emails Disguised as Project Proposals
The AhnLab SEcurity intelligence Center (ASEC) recently confirmed that phishing emails disguised as project proposals are being circulated. The body of the email pretends to request that the proposal and confirmed delivery schedule be submitted as soon as possible, and prompts the recipient to download the attached compressed file.

[Figure 1] Phishing email body
When a user downloads and decompresses the attached compressed file, they will find JS malware disguised as a proposal, as shown in [Figure 2].

[Figure 2] Compressed file
When executed, the JavaScript malware executes PowerShell commands as shown in [Figure 4]. The PowerShell script receives encrypted SnakeKeylogger data as an argument from within the JavaScript file, decrypts it, and executes it in memory without saving it to disk.

[Figure 3] Part of the obfuscated JavaScript malware

[Figure 4] Part of the obfuscated PowerShell script
Once executed, SnakeKeylogger—an Infostealer—collects various types of information from the infected system, such as web browser data, system information, and keylogging data, and transmits it externally through SMTP or Telegram. The C2 server information used is as follows.
SnakeKeylogger C2
- Mail Server: mail.Trimnt[.]Com
- ID: nova3@mnt[.]Com
- Email To: keishstanford5@gmail[.]Com

[Figure 5] SnakeKeylogger malware Main
Response Guide
1. Verify the Sender
- Verify that the sender’s email address uses an official domain.
2. Check Hyperlinks and Attachments
- If the email body contains an image that prompts you to click on it, check the linked URL first before clicking. Suspicious URLs often redirect to legitimate pages via third-party sites rather than directly from official pages, so examine them carefully. Additionally, if there are attachments, check for suspicious file extensions (.Exe, .Vbs, .Js, etc.).
3. Be Cautious When Entering Sensitive Information
- If you are asked to provide sensitive information, such as login credentials, always verify that the page’s URL is that of the official site before entering any information. If the page is not official, it is highly likely to be a suspicious URL, so caution is required. In particular, check the page’s security certification (HTTPS, padlock icon) before entering sensitive information, and never enter any information if you have any doubts.