A new wave of phishing attacks is exploiting corporate finance departments by disguising malicious files as routine remittance documents. According to security analysts, this campaign uses Snake Keylogger, an information-stealing malware that records keystrokes and harvests credentials. By posing as reputable companies, the attackers are effectively breaching business networks through simple yet powerful social engineering.

The Deceptive Hook: Fake ‘Remittance’ Emails 

In this campaign, attackers initiate contact through targeted phishing emails that mimic genuine financial correspondence from companies like Clarivate or CPA Global. The emails, often titled along the lines of “Remittance advice for the payment dated…”, contain an attachment presented as a remittance document. Delivered in ZIP or ISO format, these files are designed to evade detection — especially the ISO versions, which slip past older systems that primarily scan ZIP archives. Opening the fraudulent file activates the infection process, compromising the victim’s system.

Bypassing Security Controls via Malicious PowerShell 

Hidden in the archive is a deceptively simple .bat file — not an invoice. Executing that script triggers a silent PowerShell call which downloads the Snake Keylogger loader (often labeled loader.exe) and launches it. Attackers purposefully keep the process unobtrusive so victims see few, if any, visible signs of compromise. 

 

After download, the compact payload uses process injection to plant itself inside commonly running Windows services (for example, explorer.exe and svchost.exe). this technique lets the keylogger blend with routine system behavior, reducing its visibility to conventional security scanners. 

Credential Harvesting via The “SysUpdate” Ruse 

After execution, the Snake Keylogger injects itself into browser processes and keylogging subsystems to silently record credentials, session tokens, and typed input. It bundles and compresses the pilfered files, then posts them to the attacker’s C2 endpoint over ordinary HTTP Post calls so exfiltration looks like routine network traffic. To maintain access long-term, it installs a scheduled task called “SysUpdate” which restarts the keylogger on an hourly cadence, so killing the process or a basic cleanup won’t remove it permanently. 

How to Reduce Risk from The Serpent’s Bite 

Security teams are calling for immediate organizational measures to mitigate this threat. User awareness training should focus on carefully examining all payment-related emails, regardless of source credibility. Technically, enforcing attachment-sandboxing for ISO files and enhancing logs to detect unusual process injection activity is crucial. Monitoring and blocking key Indicators of Compromise (IoCs)—including unique file hashes, malicious domains, and the scheduled task “SysUpdate”—at the network perimeter and endpoints will help prevent data loss and halt the attack chain.