More recent campaigns from within the past three years still tend to follow this formula.
GlobeImposter has also been distributed as a later-stage infection within some well-known botnets. For example, in 2017 GlobeImposter was distributed via the Necurs botnet. This occurred as part of multiple spam campaigns that also included 7zip archives and followed the execution flow previously described.
AhnLab’s research revealed a ransomware campaign they referred to as “TZW” with victims in South Korea. The name is derived from the first 3 characters of the TOR-based victim portal. A closer look suggests that “TZW” samples represent a new variant of the GlobeImposter family.