{ "id": "66a72ab1-47d4-4617-b26f-a44033ab4376", "created_at": "2026-04-06T00:18:03.12083Z", "updated_at": "2026-04-10T03:35:17.524717Z", "deleted_at": null, "sha1_hash": "1c24fa69b9c3fafcf6a596ecc8606adc4d40aac9", "title": "Gallmaker: New Attack Group Eschews Malware to Live off the Land", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 68849, "plain_text": "Gallmaker: New Attack Group Eschews Malware to Live off the\r\nLand\r\nBy About the Author\r\nArchived: 2026-04-02 12:11:34 UTC\r\nUPDATE October 11, 2018\r\nThis blog has been updated with a revised list of IoCs. An earlier list of IOCs attached to this blog was generated\r\nthrough an automated system and, due to the dual-use nature of the tools used by the group, erroneously included\r\nsome low fidelity IoCs.\r\nSymantec researchers have uncovered a previously unknown attack group that is targeting government and\r\nmilitary targets, including several overseas embassies of an Eastern European country, and military and defense\r\ntargets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and\r\npublicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign.\r\nThe group, which we have given the name Gallmaker, has been operating since at least December 2017, with its\r\nmost recent activity observed in June 2018.\r\nTactics and tools\r\nThe most interesting aspect of Gallmaker’s approach is that the group doesn’t use malware in its operations. \r\nRather, the attack activity we observed is carried out exclusively using LotL tactics and publicly available hack\r\ntools. The group takes a number of steps to gain access to a victim’s device and then deploys several different\r\nattack tools, as follows:\r\n1. The group delivers a malicious Office lure document to victims, most likely via a spear-phishing email.\r\n2. These lure documents use titles with government, military, and diplomatic themes, and the file names are\r\nwritten in English or Cyrillic languages. These documents are not very sophisticated, but evidence of\r\ninfections shows that they’re effective. The attackers use filenames that would be of interest to a variety of\r\ntargets in Eastern Europe, including:\r\nbg embassy list.docx\r\nNavy.ro members list.docx\r\n3. These lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange (DDE) protocol in\r\norder to gain access to victim machines. When the victim opens the lure document, a warning appears\r\nasking victims to “enable content” (See Figure 1). Should a user enable this content, the attackers are then\r\nable to use the DDE protocol to remotely execute commands in memory on the victim’s system. By\r\nrunning solely in memory, the attackers avoid leaving artifacts on disk, which makes their activities\r\ndifficult to detect.\r\nhttps://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group\r\nPage 1 of 5\n\n4. Once the Gallmaker attackers gain access to a device, they execute various tools, including:\r\nWindowsRoamingToolsTask: Used to schedule PowerShell scripts and tasks.\r\nA \"reverse_tcp\" payload from Metasploit: The attackers use obfuscated shellcode that is executed via\r\nPowerShell to download this reverse shell.\r\nA legitimate version of the WinZip console: This creates a task to execute commands and communicate\r\nwith the command-and-control (C\u0026C) server. It’s likely this WinZip console is used to archive data,\r\nprobably for exfiltration.\r\nThe Rex PowerShell library, which is publicly available on GitHub, is also seen on victim machines. This\r\nlibrary helps create and manipulate PowerShell scripts for use with Metasploit exploits. \r\nGallmaker is using three primary IP addresses for its C\u0026C infrastructure to communicate with infected devices.\r\nThere is also evidence that it is deleting some of its tools from victim machines once it is finished, to hide traces\r\nof its activity.\r\nFigure 1. An example of the type of warning displayed by the lure document\r\nFigure 1. An example of the type of warning displayed by the lure document\r\nThe DDE protocol can be used for legitimate purposes to send messages between Microsoft applications that\r\nshare data through shared memory, e.g. to share data between Excel and Word. \r\nHowever, the DDE protocol was flagged as unsecure last year, when researchers discovered it could be exploited\r\nto execute code on victim machines via Excel and Word, without macros being enabled in those applications.\r\nMicrosoft said at the time that this capability was a feature and the company did not consider it a vulnerability\r\nbecause Office always warned users before enabling DDE in documents, as seen in Figure 1. However, after the\r\nDDE protocol was subsequently exploited in a number of malware campaigns, Microsoft issued an update to\r\nOffice in December 2017 that disabled DDE by default in Word and Excel. DDE can be enabled manually after\r\nthis update is applied but only if the registry is altered by an admin account.\r\nThe Gallmaker victims we have seen did not have this patch installed and therefore were still vulnerable to exploit\r\nvia the DDE protocol.\r\nTargets and timeline\r\nGallmaker’s activity appears to be highly targeted, with its victims all related to government, military, or defense\r\nsectors. Several targets are embassies of an Eastern European country. The targeted embassies are located in a\r\nnumber of different regions globally, but all have the same home country.\r\nThe other targets we have seen are a Middle Eastern defense contractor and a military organization. There are no\r\nobvious links between the Eastern European and Middle Eastern targets, but it is clear that Gallmaker is\r\nspecifically targeting the defense, military, and government sectors: its targets appear unlikely to be random or\r\naccidental.\r\nGallmaker’s activity has been quite consistent since we started tracking it. The group has carried out attacks most\r\nmonths since December 2017. Its activity subsequently increased in the second quarter of 2018, with a particular\r\nspike in April 2018.\r\nhttps://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group\r\nPage 2 of 5\n\nFigure 2. Gallmaker activity, December 2017 to June 2018\r\nFigure 2. Gallmaker activity, December 2017 to June 2018\r\nGallmaker’s activity points strongly to it being a cyber espionage campaign, likely carried out by a state-sponsored group.\r\nGallmaker may well have continued to avoid detection were it not for Symantec’s Targeted Attack\r\nAnalytics (TAA) technology.\r\nHow did we discover Gallmaker?\r\nThe fact that Gallmaker appears to rely exclusively on LotL tactics and publicly available hack tools makes its\r\nactivities extremely hard to detect. We have written extensively about the increasing use of LotL tools and\r\npublicly available hack tools by cyber criminals. One of the primary reasons for the increased popularity of these\r\nkinds of tools is to avoid detection; attackers are hoping to “hide in plain sight”, with their malicious activity\r\nhidden in a sea of legitimate processes.\r\nGallmaker may well have continued to avoid detection were it not for Symantec’s Targeted Attack Analytics\r\n(TAA) technology. TAA combines the capabilities of Symantec’s world-leading security experts with advanced\r\nartificial intelligence and machine learning to provide organizations with their own “virtual analysts”, via our\r\nAdvanced Threat Protection (ATP) product.  Since its inception, TAA has detected security incidents at thousands\r\nof organizations, automating what would have taken many hours of analyst time. In this instance, TAA identified\r\nthe specific PowerShell commands used by Gallmaker as being suspicious, leading to the discovery of this new\r\ncampaign.  Without TAA’s advanced AI-based capabilities, Gallmaker’s activities may well have remained\r\nundetected.\r\nProtection\r\nThe following protections are in place to protect customers against Gallmaker attacks:\r\nSystem Infected: Meterpreter Reverse TCP\r\nW97M.Downloader\r\nNetwork protection products also detect activity associated with Gallmaker.\r\nIndicators of Compromise\r\nThe following indicators are specific to Gallmaker:\r\nNetwork\r\n111[.]90.149.99/o2\r\n94[.]140.116.124/o2\r\n94[.]140.116.231/o2\r\nhttps://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group\r\nPage 3 of 5\n\nFilenames\r\nbg embassy list.docx\r\nNavy.ro members list.docx\r\nБГ в чуждите медии 23.03.2018-1.docx\r\n[REDACTED] and cae join forces to develop integrated live virtual constructive training solutions.docx\r\nА-9237-18-brasil.docx\r\nGallmaker also used tools that were available in open source projects. Yara rule and methods shared below were\r\nused by Gallmaker but aren't exclusive to the group's activity. Detection of these in one's environment is only\r\nindicative of possible unauthorized activity. Each occurrence of triggers must be examined to determine intent.\r\nrule Suspicious_docx\r\n{\r\nmeta:\r\ncopyright = \"Symantec\"\r\nfamily = \"Suspicious DOCX”\r\ngroup = \"Gallmaker\"\r\ndescription = \"Suspicious file that might be Gallmaker”\r\nstrings:\r\n$quote = /\u003cw:fldSimple w:instr=\" QUOTE (( [^\"]+)* [0-9]\r\n{2,3}\r\n)\r\n{4}\r\n/\r\n$text = \"select \\\"Update field\\\" and click \\\"OK\\\"\"\r\ncondition:\r\nany of them\r\n}\r\nUse of Rex Powershell - https://github.com/rapid7/rex-powershell\r\nUse of obfuscated shellcode executed via PowerShell to download a \"reverse_tcp\" payload from Metasploit\r\nonto victim systems. For example, msfvenom -p windows/meterpreter/reverse_tcp -o payload.bin\r\nFurther reading\r\nTo find out more about TAA, read our whitepaper: Targeted Attack Analytics: Using Cloud-based Artificial\r\nIntelligence for Enterprise-Focused Advanced Threat Protection.\r\nGallmaker: New Attack Group Eschews Malware to Live off the Land\r\nhttps://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group\r\nPage 4 of 5\n\nThreat Hunter Team\r\nThreat Hunter Team\r\nSymantec and Carbon Black\r\nSource: https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group\r\nhttps://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia", "MITRE" ], "references": [ "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" ], "report_names": [ "gallmaker-attack-group" ], "threat_actors": [ { "id": "75064860-5d9f-479d-accb-85c66c3b1c59", "created_at": "2022-10-25T15:50:23.328221Z", "updated_at": "2026-04-10T02:00:05.393569Z", "deleted_at": null, "main_name": "Gallmaker", "aliases": [ "Gallmaker" ], "source_name": "MITRE:Gallmaker", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d3f381a3-9f9f-47e7-9d02-de51b73777d3", "created_at": "2022-10-25T16:07:23.656177Z", "updated_at": "2026-04-10T02:00:04.703168Z", "deleted_at": null, "main_name": "Gallmaker", "aliases": [ "G0084" ], "source_name": "ETDA:Gallmaker", "tools": [ "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "d2c38c87-27a5-489b-ac64-ee8306409aac", "created_at": "2023-01-06T13:46:38.890574Z", "updated_at": "2026-04-10T02:00:03.136216Z", "deleted_at": null, "main_name": "Gallmaker", "aliases": [], "source_name": "MISPGALAXY:Gallmaker", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434683, "ts_updated_at": 1775792117, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1c24fa69b9c3fafcf6a596ecc8606adc4d40aac9.pdf", "text": "https://archive.orkl.eu/1c24fa69b9c3fafcf6a596ecc8606adc4d40aac9.txt", "img": "https://archive.orkl.eu/1c24fa69b9c3fafcf6a596ecc8606adc4d40aac9.jpg" } }