{
	"id": "cbf1afa8-8ffe-4c7d-8a8e-a15dc01b97b8",
	"created_at": "2026-04-10T03:21:49.064447Z",
	"updated_at": "2026-04-10T13:12:50.394002Z",
	"deleted_at": null,
	"sha1_hash": "136ee5a5b57d478adda83af1ad0b6040fd253e7e",
	"title": "Malicious Microsoft Excel add-ins used to deliver RAT malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2189400,
	"plain_text": "Malicious Microsoft Excel add-ins used to deliver RAT malware\r\nBy Bill Toulas\r\nPublished: 2022-03-24 · Archived: 2026-04-10 03:08:18 UTC\r\nResearchers report a new version of the JSSLoader remote access trojan being distributed via malicious Microsoft\r\nExcel addins.\r\nThe particular RAT (remote access trojan) has been circulated in the wild since December 2020, linked to the\r\nfinancially-motivated Russian hacking group FIN7, also known as “Carbanak.”\r\nJSSLoader is a small, lightweight RAT that can perform data exfiltration, establish persistence, fetch and load\r\nadditional payloads, auto-update itself, and more.\r\nExcel add-ins\r\nhttps://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/\r\nPage 1 of 5\n\nThe latest campaign involving a stealthier new version of JSSLoader was observed by threat analysts at\r\nMorphisec Labs, who say the delivery mechanism is currently phishing emails with XLL or XLM attachments.\r\nAbuse of Excel XLL add-ins isn’t new, as they are commonly used for legitimate purposes, such as importing data\r\ninto a worksheet or extending the functionality of Excel.\r\nIn the ongoing campaign, however, the threat actors use an unsigned file, so Excel will show the victim a clear\r\nwarning about the risks of executing it.\r\nSecurity warning about unsigned XLL file\r\n(Morphisec)\r\nWhen enabled, the XLL files use malicious code inside an xlAutoOpen function to load itself into memory and\r\nthen download the payload from a remote server and execute it as a new process via an API call.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/\r\nPage 2 of 5\n\nMalware loading and execution flow (Morphisec)\r\nMore sophisticated obfuscation\r\nThe threat actor regularly refreshes the User-Agent on the XLL files to evade EDRs that consolidate detection\r\ninformation from the entire network.\r\nChanging the User-Agent on each XLL sample (Morphisec)\r\nCompared to older versions, the new JSSLoader has the same execution flow, but it now comes with a new layer\r\nof string obfuscation that includes renaming all functions and variables.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/\r\nPage 3 of 5\n\nString obfuscation added on the new JSSLoader (Morphisec)\r\nTo evade detection from string-based YARA rules used by defenders, the new RAT has split the strings into sub-strings and concatenates them at runtime.\r\nStrings comparison between new and old versions (Morphisec)\r\nFinally, the string decoding mechanism is simple so as to leave a minimal footprint and reduce the chances of\r\nbeing detected by static threat scanners.\r\nMorphisec reports that these new additions combined with the XLL file delivery are enough to prevent detection\r\nfrom next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions challenging or even\r\nimplausible.\r\nThis enables FIN7 to move in the compromised network undeterred for several days or weeks before the\r\ndefenders load matching signatures on tools that complement AI-based detection solutions.\r\nhttps://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/\r\nPage 4 of 5\n\nFIN7 is a resourceful threat group that has previously delivered malware-laced USBs alongside teddy bear gifts,\r\nattempted to hire network penetration experts by posing as a legitimate security firm, and sent ransomware-carrying USBs via post mail.\r\nThe new and stealthier version of JSSLoader is only one part of their arsenal, helping them hide in networks for\r\nlonger without being detected and stopped.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one\r\nwithout the other.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three\r\ndiagnostic questions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/\r\nhttps://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/"
	],
	"report_names": [
		"malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791309,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/136ee5a5b57d478adda83af1ad0b6040fd253e7e.pdf",
		"text": "https://archive.orkl.eu/136ee5a5b57d478adda83af1ad0b6040fd253e7e.txt",
		"img": "https://archive.orkl.eu/136ee5a5b57d478adda83af1ad0b6040fd253e7e.jpg"
	}
}