The first signs of a broad malware campaign that relies on social engineering users with fake but convincing update notifications were spotted in December 2017, but more recently it's been picking up steam. Full details over here.
Today, we are looking at what we call the ‘FakeUpdates campaign’ and describing its intricate filtering and evasion techniques. One of the earliest examples we could find was reported by BroadAnalysis on December 20, 2017. The update file is not an executable but rather a script which is downloaded from DropBox, a legitimate file hosting service, as can be seen in the animation below.