The campaign sends phishing emails pretending to be from Meta, Instagram’s parent company, claiming that the recipient’s account has been restricted due to copyright infringement.
The fake plugin, once installed, creates a hidden admin user and sends victim information to the attackers, while also downloading a backdoor payload that allows for file management, SQL client, and server environment information access.