Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The use of web-based contact forms, legitimate hosting platforms, and a specific crypter make analysis and detection more difficult. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value “Salfram” makes it easy to track over time. The crypter used in these campaigns is undergoing active development and improvements to obfuscate the contents of malware.”]
Source: https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html