Seqrite, the enterprise security arm of Quick Heal Technologies Limited, has exposed XELERA, a sophisticated ransomware campaign targeting Indian tech professionals. Disguised as job offers from the Food Corporation of India (FCI), the attack exploits the trust of job seekers to infiltrate systems.
The attack begins with a spear-phishing email carrying a fake FCI recruitment document (FCEI-job-notification.doc). This document contains a PyInstaller executable (jobnotification2025.exe), which deploys Python-compiled scripts for system monitoring and data exfiltration.
A unique aspect of XELERA is its use of a Discord bot for remote command execution, allowing attackers to escalate privileges, steal credentials, and lock down systems. It also triggers fake BSOD errors, modifies desktop settings, and deploys MEMZ.exe to corrupt the Master Boot Record (MBR), rendering devices unusable.
Finally, XELERA encrypts critical files and demands Litecoin payments in exchange for decryption, threatening permanent data loss.
Seqrite’s APT Team has integrated detection mechanisms into its security platforms and urges users to adopt multi-layered security, stay cautious of unsolicited job offers, and verify communications through official channels.
As cybercriminals refine their tactics, vigilance remains the strongest defense.
