A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution paths, including .NET and AutoIt compiled executables, to evade detection and complicate analysis. The final payload is typically an Agent Tesla variant, a well-known infostealer. This approach demonstrates how attackers are increasingly relying on complex delivery mechanisms to bypass traditional sandboxes and ensure successful payload execution. Despite the multi-layered approach, Advanced WildFire effectively detects each stage, providing better protection for customers.