The scammers began distributing malware through mailing lists with "accounting"

The attackers began actively distributing Pure malicious software, they disguise it as accounting documents and attack both large and small businesses in order to gain access to financial data and system management, Kaspersky Lab told Izvestia on May 20.

Pure viruses were first discovered in mid-2022. They are distributed on shady Internet sites on the principle of "malware as a service" - this means that anyone, including hacker groups and individual intruders, can buy this virus and use it for attacks. In the first four months of 2025, the company recorded a fourfold increase in cyber attacks using this malware on Russian organizations compared to the same period in 2024.

"An employee of the company receives a spam email with a malicious attachment in the form of a RAR archive or a link to the archive. It contains an executable file that disguises itself as a PDF document. In the file name, attackers most often use template words related to the accounting field, such as doc, akt, act, sverka, reconciliation, buh, oplata, payment, and also mention well—known companies that develop accounting software or provide services for its implementation," the message says..

Mercenary account: scammers in Telegram started pretending to be gas workers

How they steal money under the guise of paying for housing and communal services

In addition, some malware components are named after well-known banks. This is an additional indication that the attacks are aimed at employees working with payment information, in particular accountants. The malicious campaign affects both large and small businesses, the company's press service noted.

"The malware is aimed at stealing credentials, confidential information and financial resources of companies. After infiltrating the device, the malware is able to load several dozen additional modules, each of which performs its own functions, for example, launching a self—removal command, gaining access to the microphone and camera, shutting down or restarting the computer," Kaspersky Lab explained.

In addition, if an employee leaves the workplace without closing the application or exiting the browser session, an attacker can connect to the remote desktop mode to commit malicious actions, they summarized. In order to secure the data, the company recommends regularly updating the software and conducting network security audits.