BlueVoyant identifies novel threat actor campaign using fake law firm invoices to launch phishing attacks

GUEST RESEARCH: BlueVoyant’s Threat Fusion Center (TFC) recently flushed out a cyber attack campaign targeting a diverse array of organizations by exploiting the inherent trust associated with legal services.

We have dubbed the campaign “NaurLegal” and believe it is orchestrated by the eCrime group Narwhal Spider (aka Storm-0302, TA544).

Campaign details
The attackers disguise malicious PDF files as authentic-looking invoices from reputable law firms, a tactic designed to deceive recipients across various industries. The NaurLegal Campaign leverages the guide of legitimacy by crafting PDF files with convincing file names such as “Invoice_[number]_from_[law firm name].pdf.” This strategy plays on the routine expectation of receiving legal documents in business operations, increasing the likelihood of the recipients opening the files.

The infrastructure supporting the NaurLegal Campaign includes domains linked to WikiLoader with follow-on activity lending itself to this malware attribution. WikiLoader is known for sophisticated evasion techniques, such as checking Wikipedia responses for specific strings to evade sandbox environments. Narwhal Spider has previously utilized WikiLoader, and its involvement in this campaign indicates the potential for subsequent deployment of more destructive malware payloads. Virus Total submissions hint that IcedID may be one such payload associated with this campaign. Given the sensitive nature of the data managed by the targeted organizations, which includes intellectual property, corporate strategies, and personal information, the stakes of a successful breach are particularly high. Furthermore, the C2 infrastructure associated with this campaign relies, seemingly exclusively, on compromised WordPress sites — a known tactic of Narwhal Spider.

Threat actor broadening scope
Historically, Narwhal Spider’s WikiLoader campaigns have primarily focused on Italian organizations, delivering malware through various email attachments, including Microsoft Excel, OneNote, and PDF files. However, the NaurLegal Campaign marks a departure from these geographically-focused attacks, instead targeting a broader spectrum of organizations that are likely to handle legal invoices. This strategic shift highlights Narwhal Spider’s adaptability and its efforts to exploit different vulnerabilities and social engineering tactics.

Attacks targeting supply chains and trusted partner relationships continue to rise globally, as identified by BlueVoyant in our report State of Supply Chain Defense Report 2023. The expansion of operations by threat actors such as Narhwal Spider continues to support this trend.

Key details for network defenders
The campaign’s use of malicious PDF files disguised as invoices from reputable law firms is a key indicator. Network defenders should be alert to an unusual influx of PDF invoices, particularly those originating from external sources and following the naming convention “Invoice_[number]_from_[law firm name].pdf.” Implementing advanced email security solutions capable of analyzing PDF attachments for malicious content can help detect these threats.

In addition to mail ingress, monitoring network connections is a viable detection method for this attack. The campaign relies on compromised WordPress sites for C2 communications, and unusual traffic patterns or spikes in traffic to and from WordPress sites could indicate a potential infection.


On 20 February, keynote addresses from NAB, Canva, AWS, and Google Cloud, among others, will feature at ElasticON Sydney 2024.

This event will explore the latest advances in generative AI

The one-day conference, hosted by leading search analytics company Elastic, will include networking drinks, hands-on labs, technical sessions and a stellar line-up of keynote speakers from finance, technology, and government e=sectors.

ElasticON Sydney 2024 promises to be an enriching experience with a comprehensive exploration of the latest developments in security, observability, generative AI and their real world applications

Don’t miss out on this opportunity to network and find answers for what’s next from your industry peers and leaders

Register for ElasticON Sydney 2024



It’s all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive advertisements on our News Site and prominent Newsletter promotion and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focused on assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your advertisements and written content plus coordinate your video interviews.

We look forward to discussing your campaign goals with you. Please click the button below.