Tracked as TA866, the adversary appears to have started the infection campaign in October 2022, with the activity continuing into January 2023.
As part of the campaign, which Proofpoint refers to as Screentime, victims are targeted with malicious emails containing an attachment or a URL that leads to the deployment of malware. In some cases, based on the attacker’s assessment of the victim, post-exploitation activity may commence.