A Konni-style spearphishing operation used a malicious document impersonating Stanford CISAC discussions on cyber and nuclear issues, likely aiming at researchers or professionals working on nuclear and international security topics. The lure pushed users to enable macros by hiding document text until the malicious VBA finished, then used Document_Open to decode an embedded executable with XOR 0xFF and launch it through cmd. The payload contacted adobeevent.medianewsonline[.]com, downloaded a cabinet archive, unpacked it with expand, and ran a batch chain that ultimately executed xclientsvc.dll. The final DLL collected infected-system information, sent it to the attacker, and could download and execute additional malware, while the report notes overlap with earlier Konni payloads and changes such as added UAC bypass and a shift from FTP to web-based communication.