Security experts discovered a new njRat campaign using old tactics, making use of compromised websites as a third layer, communication proxy. The infection can arrive from almost any corner of the web, like SPAM emails, Chat messages, SMS, etc. etc., but in the case of this post, it wasnt given any news about the received method. The origin of this FakeAV comes from Saudi Arabia, exactly from the IP 188.55.84848443: The author went to check the code and found out that the main function does.Display the popup with the message: Display the popup. Decode a string of text which contains a link to a pastebin post”]
Source: https://securityaffairs.co/wordpress/37430/cyber-crime/njrat-campaign-fakeav.html