Analysis: Abuse of Custom Actions in Windows Installer MSI to Run Malicious JavaScript, VBScript, and PowerShell Scripts April 23, 2019 https://blog.trendmicro.com/trendla...s-javascript-vbscript-and-powershell-scripts/
Notable in this attack was that the script code was executed w/o use of wscript.exe: Also, the extremely low initial detection rate by AVs. One sample I checked on VT was only detected by three AVs; Eset and Kaspersky being two of them. The use of legit AV installer components is also a first I believe. So, LOL abuse is not just limited to Windows .exe's.