{ "id": "2c6cf8e1-9d4a-4fa5-93b2-8d1793fa64ab", "created_at": "2026-04-06T02:11:24.460281Z", "updated_at": "2026-04-10T03:37:50.791472Z", "deleted_at": null, "sha1_hash": "77b6d637bf703fc59d42da667715f8ae0653cece", "title": "Russia-Linked APT28 group observed using DDE attack to deliver malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 604479, "plain_text": "Russia-Linked APT28 group observed using DDE attack to deliver\r\nmalware\r\nBy Pierluigi Paganini\r\nPublished: 2017-11-09 · Archived: 2026-04-06 01:31:01 UTC\r\n Pierluigi Paganini November 09, 2017\r\nSecurity experts at McAfee observed the Russian APT28 group using the recently\r\nreported the DDE attack technique to deliver malware in espionage campaign.\r\nSecurity experts at McAfee observed the Russian APT group APT28 using the recently reported the DDE\r\ntechnique to deliver malware in targeted attacks.\r\nThe cyber spies were conducting a cyber espionage campaign that involved blank documents whose name\r\nreferenced the recent terrorist attack in New York City.\r\n“During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts\r\nidentified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange\r\n(DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the\r\nfirst observed use of this technique by APT28.” reported McAfee.\r\nThe Dynamic Data Exchange (DDE) is a protocol designed to allow data transferring between applications,\r\nattackers have devised a method to achieve the execution of malicious code embedded in Office documents\r\nwithout user’s interaction by using DDE.\r\nThe DDE protocol allows an Office application to load data from another Office application, it was replaced by\r\nMicrosoft with Object Linking and Embedding (OLE), but it is still supported.\r\nhttp://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html\r\nPage 1 of 3\n\nThe DDE technique was implemented by several threat actors such as the FIN7 APT group in DNSMessenger\r\nmalware attacks, and the operators behind the Hancitor malware campaign spotted and detailed by Internet Storm\r\nCenter (ISC) handler Brad Duncan.\r\nRecently the technique was used by threat actors behind the Necurs botnet to deliver the Locky ransomware.\r\nUnfortunately, Microsoft doesn’t plan to introduce security countermeasures to mitigate the DDE attack because\r\nthe tech giant considers the feature as legit.\r\nIn the recent campaign conducted by APT28, hackers used a document referencing the New York City attack to\r\ndeliver the first-stage payload tracked as Seduploader.\r\nThe Seduploader malware, also known as GAMEFISH backdoor, Sednit, JHUHUGIT and Sofacy, is a strain of\r\nmalware that has been already used by the threat actor in other campaigns against NATO representatives.\r\nThe Seduploader is a reconnaissance malware that was used for years by APT28, it is composed of 2 files: a\r\ndropper and a payload.\r\nThe malware is downloaded from a remote server using PowerShell commands, experts\r\nThe analysis of the malware and command and control (C\u0026C) domains used in the campaign revealed the\r\ncampaign involving DDE started on October 25.\r\nAccording to the experts, the recent attacks are part of a campaign that also involved documents referencing Saber\r\nGuardian, a multinational military exercise involving approximately 25,000 military personnel from over 20\r\nparticipating nations. The military exercise was conducted by the U.S. Army in Eastern Europe in an effort to\r\ndeter an invasion (by Russia) into NATO territory.\r\nJust two week ago, researchers with Cisco Talos have spotted another cyber espionage campaign conducted by\r\nthe APT28 group targeting individuals with spear-phishing messages using documents referencing a NATO\r\ncybersecurity conference.\r\nhttp://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html\r\nPage 2 of 3\n\nThe hackers targeted individuals with a specific interest in the CyCon US cybersecurity conference organized by\r\nthe NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) in collaboration with the Army Cyber\r\nInstitute at West Point on November 7-8 in Washington, D.C.\r\n“APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into\r\ninfections, but can also rapidly incorporate new exploitation techniques to increase its success. Given the\r\npublicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the\r\nVBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses.”\r\nconcluded McAfee. “Finally, the use of recent domestic events and a prominent US military exercise focused on\r\ndeterring Russian aggression highlight APT28’s ability and interest in exploiting geopolitical events for their\r\noperations.”\r\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(Security Affairs – DDE attack, cyber espionage)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html\r\nhttp://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "http://securityaffairs.co/wordpress/65318/hacking/dde-attack-apt28.html" ], "report_names": [ "dde-attack-apt28.html" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441484, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/77b6d637bf703fc59d42da667715f8ae0653cece.pdf", "text": "https://archive.orkl.eu/77b6d637bf703fc59d42da667715f8ae0653cece.txt", "img": "https://archive.orkl.eu/77b6d637bf703fc59d42da667715f8ae0653cece.jpg" } }