Once the attack is executed, the fake Flash installer downloads a legitimate Flash installer from a Google Drive URL and runs it to deceive the user into thinking that the installation went smoothly.
Researchers also say that because of the use of Metasploit, it can be assumed that there is an operator controlling the exploitation manually. More information on Turla can be found in ESET’s whitepaper
as well as their recent report
on Turla’s change in attacks.