ESRC reported Operation Blackhat Voice spear-phishing activity in early 2019 using password-protected ZIP lures such as Protected.zip and filenames tied to Chinese themes. The payload chain hid CAB data in MP3/WAVE-themed files, extracted DLLs including svc.dll, wp.dll, and wing.dll, and installed components under Windows ProgramData and System32 paths. The malware searched for documents, credentials, wallets, RDP/VNC material, and browser data, then communicated with command-and-control infrastructure using FTP or multipart/form-data uploads. The report links the tooling to earlier Blackhat Voice activity and includes C2 and payload behavior useful for detection.