Malicious actors are using one of the James Webb Space Telescope’s (JWST’s) first images to spread malware, the Securonix Threat research team has discovered.

The malware campaign has been dubbed “GO#WEBBFUSCATOR” and allows attackers to take control of a system or steal data.

The researchers explained that the initial infection starts with a phishing email containing a Microsoft Office document.

That attachment contains a hidden external reference in its metadata which downloads a malicious template file.

The template file has a VB script which initiates the first stage of code execution for the attack, once the user enables Word macros.

The code pulls a jpeg file, the stunning and much-shared image of a cluster of galaxies taken by JWST, from the same C2 server as the Microsoft Office document.

“The image contains malicious Base64 code disguised as an included certificate,” Securonix explained.

By using the certuil.exe application, the code turns itself into a binary named msdllupdate.exe.

The researchers said that when they published their report on the malware, no antivirus programs had yet flagged it as a threat.

The team discovered URL strings which showed the binary file was using a DNS data exfiltration technique to a target C2 DNS server.

“This technique works by sending an encrypted string appended to the DNS query set as a subdomain.”

“The encrypted messages are read in and unencrypted on the C2 server, thus revealing its original contents.”

The researchers said attackers could either use this to establish an encrypted channel for command and control of a system, or exfiltrate sensitive data.

Securonix vice president Augusto Barros told Popular Science that using the James Webb photo could allow the malware to avoid suspicion based on its size, as images can be quite large.

In addition, if the file was flagged as suspicious, it might pass review because of its widespread sharing online in recent months.