Attackers send invoices or legal notices containing .iso or .img files. When mounted, the user sees a .lnk shortcut. Clicking it executes PowerShell to download the XWorm "Crypsi" loader.
The information stealer module has been overhauled to target modern applications: xworm v31 updated
Here are a few options for the text, depending on the context (e.g., a changelog, a forum post, or a brief announcement): Attackers send invoices or legal notices containing