{
	"id": "3193d17d-3f32-44a5-a5ca-db00e486e882",
	"created_at": "2026-04-06T00:11:58.764697Z",
	"updated_at": "2026-04-10T13:13:05.344965Z",
	"deleted_at": null,
	"sha1_hash": "63bdd608087954496ad8de39f161d515d866ef8f",
	"title": "DocuSign Phishing Campaign Includes Hancitor Downloader",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35995,
	"plain_text": "DocuSign Phishing Campaign Includes Hancitor Downloader\r\nBy Tom Spring\r\nPublished: 2017-05-16 · Archived: 2026-04-05 22:33:35 UTC\r\nDocuSign warns of a breach and subsequent theft of email addresses that are part of a phishing campaign that\r\nemploys malicious macro-laced Word documents.\r\nElectronic document exchange vendor DocuSign warned on Monday of a wave of phishing emails targeting its\r\ncustomers with links to malicious Word documents. The campaign, it said, was tied to an earlier breach of its\r\ncomputer networks where hackers were able to gain “temporary access” and exfiltrate an undisclosed number of\r\ncustomer email addresses.\r\nDocuSign, with 100 million users and 250,000 business accounts, said “no names, physical addresses, passwords,\r\nsocial security numbers, credit card data or other information” were stolen by the hackers.\r\nPhishing emails spoofed the DocuSign brand and included a hyperlink to a Word document that contained a\r\nmalicious macro. If the document is downloaded and the macro is enabled, it delivers the Hancitor downloader.\r\nNext, Hancitor downloads either the credential stealing Pony, EvilPony or ZLoader malware, said Gregor Perotto,\r\nsenior director, global corporate marketing and communications for DocuSign.\r\nEarlier this year, researchers had reported a lull in the distribution of spam spreading information-stealing\r\nmalware via Hancitor. That dry spell ended in January when SANS Internet Storm Center noted a sharp\r\nincrease in spam containing links to download Word documents with macros that, if enabled, downloaded\r\nHancitor.\r\nThe DocuSign malicious email campaign began last week, according to the company. That’s when DocuSign said\r\nit began tracking emails that featured the subject line “Completed: docusign.com – Wire Transfer Instructions for\r\nrecipient-name Document Ready for Signature”.\r\nOn Monday, DocuSign again reached out to customers informing them that it was continuing to track the\r\nmalicious email campaign and that the subject line changed. It now read, “Completed *company name* –\r\nAccounting Invoice *number* Document Ready for Signature”, according to the company. Emails also had links\r\nto downloadable Word documents that contained Hancitor. Spoofed sender email address included\r\n@docusign.com or @docusign.net domains, DocuSign said.\r\n“As part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary\r\naccess to a separate, non-core system that allows us to communicate service-related announcements to users via\r\nemail. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical\r\naddresses, passwords, social security numbers, credit card data or other information was accessed,” the company\r\nsaid.\r\nhttps://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/\r\nPage 1 of 2\n\nIt reiterated that the breach did not impact the privacy of customer documents sent through DocuSign’s eSignature\r\nplatform. It is encouraging customers who receive malicious emails to forward them to spam@docusign.com.\r\nStill unknown is how many DocuSign email addresses were stolen.\r\nSecurity experts report incidents of macro-based malware have steadily been on the rise in 2016. In the enterprise,\r\nMicrosoft reports, 98 percent of Office-targeted threats still use old-school macro-based attacks.\r\nThe increase in macro-based attacks began earlier last summer, and criminals have been increasingly turning to\r\nOffice macros to deliver malware versus using more traditional means such as exploit kits.\r\nSource: https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/\r\nhttps://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/"
	],
	"report_names": [
		"125724"
	],
	"threat_actors": [],
	"ts_created_at": 1775434318,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63bdd608087954496ad8de39f161d515d866ef8f.pdf",
		"text": "https://archive.orkl.eu/63bdd608087954496ad8de39f161d515d866ef8f.txt",
		"img": "https://archive.orkl.eu/63bdd608087954496ad8de39f161d515d866ef8f.jpg"
	}
}