Security researchers have uncovered a sophisticated cyber espionage campaign, dubbed Operation IconCat, targeting Israeli organizations with weaponized Word and PDF documents designed to mimic essential security tools. The attacks, which commenced in November 2025, have impacted companies across the information technology, staffing services, and software development sectors, highlighting a growing trend of social engineering combined with advanced malware delivery techniques.
Seqrite Labs identified the campaign after analyzing suspicious file uploads originating from Israel on November 16 and 17, 2025. Threat actors are leveraging the trust users place in familiar brands, disguising malicious payloads within documents that appear to be legitimate security software manuals or updates from well-known antivirus vendors like Check Point and SentinelOne. This tactic aims to bypass traditional security measures by exploiting user behavior and a sense of urgency related to cybersecurity.
Operation IconCat: A Dual-Pronged Attack Strategy
Operation IconCat employs two distinct attack chains, both designed to deliver different, yet potent, malware variants. The first chain utilizes PDF files, while the second leverages Word documents embedded with malicious code. This multi-faceted approach allows the threat actors to adapt their tactics based on the target’s potential defenses and user interaction patterns.
PDF-Based Delivery: Introducing PYTRIC Malware
The initial wave of attacks involved a PDF document masquerading as a Check Point security scanner manual, named “help.pdf.” This document instructed victims to download a tool called “Security Scanner” from Dropbox, protected by the password “cloudstar.” The PDF itself contained seemingly legitimate instructions for running security scans, complete with realistic screenshots. However, this PDF served as a deceptive entry point for the deployment of PYTRIC, a Python-based malware engineered using PyInstaller technology.
PYTRIC exhibits concerning capabilities that extend beyond typical information-stealing malware. Analysis from Seqrite Labs indicates that PYTRIC is equipped to scan the entirety of a compromised system, ascertain administrator privileges, and execute destructive actions, including data erasure and the deletion of backups. Furthermore, the malware communicates with its operators via a Telegram bot named “Backup2040,” enabling remote control over infected machines. This suggests a potential objective of not only espionage but also outright data destruction.
Word Document Exploitation: The RUSTRIC Implant
The second attack vector involves a spear-phishing email that impersonates L.M. Group, a legitimate Israeli human resources company, by using a spoofed domain (l-m.co.il). The attached Word document contains hidden macros that, when executed, extract and deploy the final malicious payload. This payload is identified as RUSTRIC, a Rust-based implant.
RUSTRIC is designed for advanced reconnaissance. Upon execution, it actively checks for the presence of 28 different antivirus products, including prominent solutions like Quick Heal, CrowdStrike, and Kaspersky. The implant then leverages Windows Management Instrumentation (WMI) to execute system commands, identify the infected computer, and establish persistent connections to attacker-controlled servers. The use of these distinct malware families, PYTRIC and RUSTRIC, demonstrates the attackers’ adaptability and their intent to inflict significant damage.
Security teams are urged to treat these campaigns as high-priority threats. Immediate investigation and remediation efforts are crucial to mitigating the potential impact on Israeli organizations. The sophisticated nature of Operation IconCat, combining psychological manipulation with advanced technical execution, underscores the evolving threat landscape and the critical need for robust, multi-layered cybersecurity defenses. Continuous monitoring and prompt incident response will be key to countering such sophisticated attacks.