A social engineering scam orchestrated by the ElTest hacking group just had its final payload switched from ransomware to a remote access trojan, indicating a possible change in motive, researchers at Palo Alto Networks have reported.

According to a Friday blog post from Palo Alto's Unit 42 threat research team, the malicious campaign was updated in late August to distribute a downloader that installs the commercially available NetSupportManager RAT. Since January 2017, the ElTest scheme had been infecting victims primarily with ransomware such as Spora and Mole, the report continues.

The campaign, which began in December 2016 involves compromising websites to display a fraudulent message urging Google Chrome browser users to update their font package because the "HoeflerText" font wasn't found. Clicking the message's update button downloads the malware.

This particular scam only targets Chrome users. On the other hand, Internet Explorer users who visit these same compromised sites will instead receive a fake anti-virus alert, along with a phone number for a tech support scam.