The emails demand users open attachments that combine VBScript with PowerShell scripts, downloading files from external sources like planachiever.au and tripplebanks.duckdns.org.

The malicious MSC file is often disguised as a harmless document, such as a Word file. When the victim opens the file, it downloads and executes a PowerShell script from an external server. This script then decodes and runs the Rhadamanthys Stealer.