Operation Epic Manchego - Threat Group Cards: A Threat Actor
Encyclopedia
Archived: 2026-04-06 00:09:13 UTC
Home > List all groups > Operation Epic Manchego
 APT group: Operation Epic Manchego
Names Operation Epic Manchego (NVISO)
Country [Unknown]
Motivation Information theft and espionage
First seen 2020
Description
(NVISIO) In July 2020, NVISO detected a set of malicious Excel documents, also known as
“maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious
VBA code and the dropped payloads were something we had seen before, it was the specific
way in which the Excel documents themselves were created that caught our attention.
The creators of the malicious Excel documents used a technique that allows them to create
macro-laden Excel workbooks, without actually using Microsoft Office. As a side effect of this
particular way of working, the detection rate for these documents is typically lower than for
standard maldocs.
Observed
Countries: Bulgaria, Canada, China, Czech, France, Germany, Hungary, Italy, Japan, Malaysia,
Netherlands, Poland, Romania, South Korea, Sweden, UK, Ukraine, Uruguay, USA, Vietnam.
Tools used Agent Tesla, AZORult, Formbook, Matiex, njRAT.
Information
Last change to this card: 17 September 2020
Download this actor card in PDF or JSON format
Source: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f3b26faa-9b21-4401-8448-67b9c636c16f
https://apt.etda.or.th/cgi-bin/showcard.cgi?u=f3b26faa-9b21-4401-8448-67b9c636c16f
Page 1 of 1