Do you know if your users have VLC on their machines? BTW, there’s a portable version that doesn’t require installing…:
[…] Researchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player.
Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player’s export functions.
The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity.