The attackers are using a Remote Management System (RMS) executable to trick victims into downloading malware disguised as banned applications like ExpressVPN, WeChat, and Skype.