{
	"id": "07b229b2-784c-4c4a-ac30-06e877caac84",
	"created_at": "2026-04-06T00:13:01.283765Z",
	"updated_at": "2026-04-10T03:21:42.624732Z",
	"deleted_at": null,
	"sha1_hash": "1a0adbc6007772407524862a3cbb6940baa2aa16",
	"title": "New RAT in Macro-Based Docs Using AppLocker Bypass | blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6622295,
	"plain_text": "New RAT in Macro-Based Docs Using AppLocker Bypass | blog\r\nBy Sudeep Singh\r\nPublished: 2020-05-29 · Archived: 2026-04-05 13:47:25 UTC\r\nAs we've mentioned in previous blogs, cybercriminals will often tie their attacks to current events. So, it isn't\r\nsurprising that we noticed another one of these, with this particular one using tech events in London as the bait.\r\nIn February 2020 and May 2020, we observed four malicious macro-based Microsoft Word documents hosted on\r\nnewly registered sites with top-level domains of .space and .xyz. We attribute these attacks to the same threat actor\r\ndue to the similar tactics, techniques and procedures (TTPs) used to deploy the final payload.\r\nThe final .NET payload, to the best of our knowledge, has not been observed in the wild before. It has a small\r\ncode section in it that overlaps with the QuasarRAT. However, this code was not used at runtime. We have\r\nassigned the name - ShellReset to this RAT based on the unique strings found inside the final payload.\r\nDue to the limited instances we have observed in the wild, we suspect this to be a low-volume targeted attack.\r\nSome of the themes used in these attacks by the threat actor are related to important events that were originally\r\nscheduled to take place in London earlier this year, including the 5G Expo and Futurebuild.\r\nThe infection chain involves interesting techniques, such as compiling the payload at runtime on the endpoint\r\nusing trusted Windows utilities to bypass security mechanisms and downloading the next stages in the form of\r\nobfuscated source code from the attacker’s server.\r\nIn this blog, we provide a detailed description of the distribution strategy and the technical analysis of the attack.\r\nDistribution strategy\r\nThe first instance of the document related to this campaign was found on February 24, 2020. It was hosted at the\r\nURL: hxxps://documentsharing.space/files/5G%20Expo.doc?clientEmail=\r\nMD5 hash: 93f913f3b9e0ef3f5cedd196eae3f2ae\r\nFile name: 5G Expo.doc\r\nThe content of this document was related to 5G Expo event, which was scheduled to take place on March 17-18,\r\n2020 in London as shown in Figure 1.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 1 of 20\n\nFigure 1: This document displays the 5G Expo 2020 theme after macros are enabled.\r\nOn the same day, we observed another instance of a document hosted on the same domain at the URL:\r\nhxxps://documentsharing.space/files/FutureBuild.doc?clientEmail=\r\nMD5 hash: b34b74effbd8647c4f5dc61358e1555f\r\nFile name: FutureBuild.doc\r\nThe content of this document was related to Futurebuild 2020 conference, which was supposed to take place\r\nbetween March 3-5, 2020 in London. The document spoofed the contents to look like an admission voucher for\r\nthis conference as shown in Figure 2.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 2 of 20\n\nFigure 2: The document displays the Futurebuild 2020 theme after macros are enabled.\r\nIn both cases, the domain used to host the file was documentsharing[.]space. As per the Whois records of the\r\ndomain, it was registered on October 21, 2019.\r\nThe next two instances of the documents from the same threat actor were observed in May 2020.\r\nOn May 19, 2020, we found a malicious macro-based Word document hosted at the URL:\r\nhxxps://misrmarket[.]xyz/files/Get%20Stared.doc?clientEmail=\r\nMD5 hash: 7bebf686b6e1d3fa537e8a0c2e5a4bdc\r\nFile name: Get%20Stared.doc\r\nThe content of this document was a message about a personal data revolution and included a list of legitimate sites\r\nas shown in Figure 3.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 3 of 20\n\nFigure 3: The document displays a message about a personal data revolution.\r\nUpon further research, we found that this text was copied from a legitimate site, datacoup.com, as shown in Figure\r\n4. Attackers use such tactics for social engineering purposes to make the content of the file look relevant and\r\nlegitimate.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 4 of 20\n\nFigure 4: The message displayed in the document was copied from datacoup.com.\r\nThe site that was used to host this document is a spoof of the popular site, anonfiles.com, which allows the users\r\nto upload their files anonymously. There is a slight difference between the user interface of this spoofed site and\r\nthe original site.\r\nFigure 5 shows the user interface of the spoofed site.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 5 of 20\n\nFigure 5: The web user interface of the spoofed version of anonfiles.com.\r\nFigure 6 shows the user interface of the original site.\r\nFigure 6: The original site, anonfiles.com, and the differences with the spoofed version.\r\nThe regions of the site marked in red were not present in the spoofed domain. As per Whois data, the spoofed site,\r\nmisrmarket[.]xyz, was registered on February 26, 2020.\r\nA common pattern we observed in all the URLs hosting the documents was: “?clientEmail=”\r\nThis parameter of the URL contained the email address of the targeted user.\r\nTechnical analysis of the macro\r\nWhen the macro-based document is opened, it will display a message that asks the user to enable macros to view\r\nthe contents as shown in Figure 7.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 6 of 20\n\nFigure 7: The message displayed by the document, which asks the user to enable macros.\r\nWhen the macros are enabled, the Auto_Open() subroutine of the macro is called, which will hide the above image\r\nand display the image corresponding to the theme of the document (5G Expo, Future Build 2020, and others) as\r\ndescribed in previous section.\r\nThe relevant macro code section, which unhides the image after macros are enabled, is shown in Figure 8.\r\nFigure 8: The macro code used to unhide the image.\r\nFor the purpose of analysis, we will take the file with MD5 hash: 7bebf686b6e1d3fa537e8a0c2e5a4bdc\r\nThe contents of the macro are shown in Figure 9.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 7 of 20\n\nFigure 9: The macro code in the document.\r\nThe main functions performed by this macro code are:\r\nIt sets the working directory and the name of the dropped file to ServiceHostV1000.\r\nIt contains the complete C# code embedded inside the macro, which will be written at runtime to the file:\r\nServiceHostV1000.cs in the working directory. The C# code is obfuscated at the source level. The\r\nobfuscation is simple. Only the variable, class and method names are obfuscated.\r\nIt sets the compiler directory to the location of the file, csc.exe, on the machine. Csc.exe is the command\r\nline compiler for C# code and is installed by default with Microsoft .NET framework. The macro searches\r\nfor versions 3.5 and 4.0.x on the machine. It sets the compiler directory accordingly based on the version of\r\n.NET framework installed on the machine as shown in Figure 10.\r\nFigure 10: The macro code used to compile C# code on the machine.\r\nIt compiles the code using csc.exe and the command line parameter:”-target:winexe -out:”. The compiled\r\nbinary will be present in the Startup directory.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 8 of 20\n\nIt deletes the working directory that contained the source code.\r\nIt executes the compiled binary.\r\nMSbuild.exe was used in this case to compile the code on the machine using a .csproj file as a method to bypass\r\nWindows security mechanisms, such as AppLocker and Device Guard. This technique was made public for the\r\nfirst time by Casey Smith a few years ago.\r\nAnalysis of .NET binary\r\nMD5 hash: 4e0f9f47849949b14525c844005bb567\r\nFile name: ServiceHostV1000.exe\r\nThe main subroutine of the .NET binary is shown in Figure 11.\r\nFigure 11: The main subroutine of .NET binary.\r\nBelow are the main operations performed by this .NET binary.\r\nIt sends an HTTP GET request to the URL: misrmarket[.]xyz/files/app-provider/getApp and sets the Content-type\r\nrequest header field to: “application/json”.\r\nFigure 12 shows the contents of the response from the server, which contains a JSON file.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 9 of 20\n\nFigure 12: The server response containing the JSON data.\r\nThis JSON file contains three keys:\r\nVersion: Set to null.\r\ncsproj: Contains project file used by msbuild.exe at the time of compiling the C# project.\r\ncs: Contains the C# code that needs to be compiled at runtime.\r\n1. The C# code used DataContractJsonSerializer class to parse the JSON response from the server and extract\r\nthe individual members. The .cs and .csproj files were dropped in the location:\r\n%USERPROFILE%\\ServiceTaskV1001 with the file names, w.cs and w.csproj.\r\n2. For compiling the C# code, it uses msbuild.exe. The versions of .NET framework checked on the machine\r\nto find msbuild.exe are version 3.5 and 4.0.x as shown in Figure 13.\r\nFigure 13: Code section which checks version of .NET framework on the machine.\r\nAnalysis of .NET-based RAT\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 10 of 20\n\nMD5 hash of the payload: 8f62d7499d5599b9db7eeddf9c01a061\r\nSystem information gathering\r\nThe first activity performed by the payload is to gather information about the system as shown in Figure 14.\r\nFigure 14: The code section used to gather system information.\r\nInformation about the following properties are collected from the machine:\r\nBot ID: A unique identifier for the machine. The calculation of this field is detailed later in this blog.\r\nCPU name: Processor details.\r\nRAM – The total amount of RAM installed on the machine.\r\nUser name\r\nHost name\r\nSystem drive name\r\nSystem directory path\r\nUptime\r\nOperating system type: This field is set to windows.\r\nCalculation of unique bot ID: The payload first calculates a unique identifier for the machine which will be used\r\nto identify the bot. It calculates this ID using various properties of the machine as detailed below.\r\na = “SerialNumber” field from the output of WMI query: SELECT * FROM Win32_DiskDrive\r\nb = “Name” field from the output of WMI query: SELECT * FROM Win32_Processor\r\nc = “Manufacturer” and “SerialNumber” field from the output of WMI query: SELECT * FROM\r\nWin32_BaseBoard\r\nd = “Manufacturer” field from the output of WMI query: SELECT * FROM Win32_BIOS\r\nThe final ID is calculated by linking all the above values (a, b, c and d), then calculating the MD5 hash and using\r\nthe first 12 characters of the resulting MD5 hash.\r\nThis can be represented as: MD5(a+b+c+d)[0:12]\r\nA unique integer value of 15 is appended to it to generate the final ID.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 11 of 20\n\nOnce the above information is collected from the machine, it is sent to the server in an HTTP POST request as\r\nshown in Figure 15.\r\nFigure 15: The code section used to register the bot with the Command and Control (C\u0026C) server.\r\nThe request is sent to the URL: hxxp://theashyggdrasil[.]xyz/api/clients/identifyClient and the Content-Type field\r\nis set to “application/json”. This first network request post-infection is used to register the bot with the attacker’s\r\nserver with a unique identifier.\r\nThe network request is shown in Figure 16.\r\nFigure 16: The system information sent to C\u0026C server in an HTTP POST request.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 12 of 20\n\nC\u0026C communication\r\nOnce the bot is registered with the server, it sends a GET request to the path: /api/orders/getOrders/ to fetch the\r\ncommand that needs to be executed on the machine. The response from the server will be in JSON format that will\r\nbe parsed by the bot.\r\nThe subroutine that handles the C\u0026C communication is shown in Figure 17.\r\nFigure 17: The subroutine that handles the C\u0026C communication.\r\nThere are four operations supported by the bot, which are described below.\r\ncmdExec: This operation allows the attacker to execute code on the machine. By parsing the JSON response, a\r\nCmdReq structure is retrieved which has two members:\r\nshellId\r\ncommand\r\nThe subroutine for cmdExec operation is shown in Figure 18.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 13 of 20\n\nFigure 18: The subroutine that handles the cmdExec command.\r\nIf the command is equal to “***reset*shell***”, then a new instance of cmd.exe is spawned on the machine as\r\nshown in Figure 19.\r\nFigure 19: The subroutine used to spawn a new shell.\r\nFor any other command, the same shell will be used to execute.\r\ngetDir: This command can retrieve the complete list of all the files present in a specific path on the machine.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 14 of 20\n\nFigure 20: The subroutine that handles the getDir command.\r\nThis information will be exfiltrated to the server in an HTTP GET request to the path: /api/files/onGetDirRun\r\nuploadFile: This command is used to upload a file from a given path on the machine to the attacker’s server as\r\nshown in Figure 21.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 15 of 20\n\nFigure 21: The subroutine that handles the uploadFile C\u0026C command.\r\nAwsInfoRes is a class with two members:\r\nuploadUrl\r\nfileKey\r\nThis information is retrieved from the server by sending an HTTP GET request to the\r\npath: /api/assets/getAwsUploadUrl\r\nFrom the JSON response, the uploadURL and fileKey values are extracted.\r\nThe file will be exfiltrated by sending an HTTP PUT request to the URL defined in the uploadURL member of the\r\nAwsInfoRes object.\r\ngetScreenshot: This command allows the attacker to remotely take screenshots of the machine as shown in Figure\r\n22.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 16 of 20\n\nFigure 22: The subroutine that handles the getScreenshot command.\r\nQuasarRAT code overlap\r\nThere is a small code section in this .NET binary that has a code overlap with the QuasarRAT. The overlap is only\r\nwith the StringHelper class of the QuasarRAT.\r\nFigure 23 shows this section of code from the .NET binary.\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 17 of 20\n\nFigure 23: The code section that has overlap with the QuasarRAT.\r\nThese functions are similar to the ones defined in the StringHelper class of QuasarRAT. However, most of these\r\nfunctions are not called in the .NET binary in this case.\r\nCloud Sandbox detection\r\nFigure 24 shows the Zscaler Cloud Sandbox successfully detecting this document-based threat.\r\nFigure 24: The Zscaler Cloud Sandbox detection.\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at\r\nvarious levels, as seen here: Win32.RAT.ShellReset\r\nConclusion\r\nThis threat actor leverages themes relevant to current events, such as conferences and exhibitions, to spread\r\nmalicious macro-based documents. Users should verify the source of such documents before opening them.\r\nAs an extra precaution, users should not enable macros for Microsoft Office files that are received from untrusted\r\nsources since these macros have the capability to run malicious code on the machine.\r\nThe Zscaler ThreatLabZ team will continue to monitor this attack, as well as others, to help keep our\r\ncustomers safe.\r\nMITRE ATT\u0026CK TTP Mapping\r\nTactic Technique\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 18 of 20\n\nT1064 Macros in document used for code execution.\r\nT1127 Uses MSBuild.exe to proxy execution of code through a trusted Windows Utility.\r\nT1060 Startup directory-based persistence.\r\nT1113 Takes screen captures of the desktop.\r\nTA0010 Data exfiltrated from the machine to the server.\r\nT1083 File and Directory discovery.\r\nT1059 Uses cmd.exe to execute commands remotely on the machine.\r\nIndicators of Compromise (IOCs)\r\nHashes of the macro-based documents\r\n93f913f3b9e0ef3f5cedd196eae3f2ae\r\nb34b74effbd8647c4f5dc61358e1555f\r\n7bebf686b6e1d3fa537e8a0c2e5a4bdc\r\n1d94b086996c99785f78bf484295027a\r\nURLs hosting the documents\r\nhxxps://documentsharing.space/files/5G%20Expo.doc?clientEmail=\r\nhxxps://documentsharing.space/files/FutureBuild.doc?clientEmail=\r\nhxxps://misrmarket.xyz/files/Get%20Stared.doc\r\nhxxps://consumerspost.xyz/files/Swissin-Voucher.doc\r\nURLs used to download next stage\r\nhxxps://misrmarket.xyz/files/app-provider/getApp\r\nhxxps://misrmarket.xyz/files/app-provider/getLatestVersion\r\nhxxps://centeralfiles.xyz/files/app-provider/getApp\r\nhxxps://centeralfiles.xyz/files/app-provider/ getLatestVersion\r\nPost-infection domains\r\ntheashyggdrasil.xyz\r\nAPI endpoints used in post-infection domains\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 19 of 20\n\n/api/cmd/onCmdRun\r\n/api/clients/identifyClient\r\n/api/assets/onCreated\r\n/api/assets/getAwsUploadUrl\r\n/api/files/onGetDirRun\r\n/api/orders/getOrders/\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nhttps://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass"
	],
	"report_names": [
		"shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a0adbc6007772407524862a3cbb6940baa2aa16.pdf",
		"text": "https://archive.orkl.eu/1a0adbc6007772407524862a3cbb6940baa2aa16.txt",
		"img": "https://archive.orkl.eu/1a0adbc6007772407524862a3cbb6940baa2aa16.jpg"
	}
}