{
	"id": "655f4ffa-ce8b-4b29-a861-456b6a822fa7",
	"created_at": "2026-04-06T00:18:50.367661Z",
	"updated_at": "2026-04-10T03:21:01.637657Z",
	"deleted_at": null,
	"sha1_hash": "7f20b1adcb2c99d26b438799650eb3e2771b5e76",
	"title": "Stealthy Cyberespionage Campaign Attacks With Social Engineering - Security - Spiceworks Community",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 197396,
	"plain_text": "Stealthy Cyberespionage Campaign Attacks With Social\r\nEngineering - Security - Spiceworks Community\r\nPublished: 2015-06-24 · Archived: 2026-04-05 16:35:40 UTC\r\nCyberespionage continues to be a hot topic in our industry, and the information security nerd in me always finds it\r\nexciting when our McAfee Labs team is able to speak about their findings. Here is a blog post from Rahul\r\nMohandas on a recent campaign:\r\nStealthy Cyberespionage Campaign Attacks With Social Engineering\r\nCyberespionage attacks pose a challenge for the security industry as well as for the organizations trying to protect\r\nagainst them. Last year, McAfee Labs predicted that in 2015 these attacks would increase in frequency and\r\nbecome stealthier, and we have seen this occur. Cyberespionage aims at specific organization or sectors that are\r\nhigh-value targets, with most attacks flying under the radar.\r\nThe McAfee Labs research team has tracked an advanced persistent threat for the past couple of months. This\r\ngroup has evolved a lot in sophistication and evasion techniques to defeat detection by security products. This\r\ngroup has been active since at least 2014 and uses spear-phishing campaigns to target enterprises. We have\r\nobserved this group targeting defense, aerospace, and legal sector companies.\r\nThe Attack\r\nThe preceding email provides a clear indication that the attackers have researched their target and its employees.\r\nSocial media sites such as LinkedIn, Twitter, and Facebook are good sources of such valuable information, which\r\ncan be used for social-engineering attacks.\r\nhttps://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering\r\nPage 1 of 4\n\nThe Excel attachment opens with a “password protected” window, tricking the victim into believing the file\r\nrequires a password to display the content.\r\nThe Excel file is laced with a malicious macro that runs in the background. To prevent easy detection, the macro is\r\nobfuscated using Base64. The Excel file drops an .hta file, which contains the backdoor functionality.\r\nThis attack uses some novel techniques:\r\nA JavaScript backdoor component, unlike most exploits or malicious Office files, which use an embedded\r\nor a direct download of a binary.\r\nThe JavaScript backdoor is obfuscated and dropped to %Appdata%\\Microsoft\\Protect\\CRED. It persists on\r\nthe machine using a registry run entry created by the mshta application.\r\nThe launched window is hidden using the JavaScript command “window.moveTo(-100,-100),\r\nwindow.resizeTo(0,0).”\r\nJavaScript backdoor capabilities\r\nThe attack minimizes its footprint by running only a script, which has lower chance of being flagged as malicious.\r\nSome of the backdoor capabilities:\r\nQuerying system information using WMI.\r\nUsing a proxy server for connections.\r\nDownloading and executing remote files.\r\nUsing file/directory/network/process/registry and system operations.\r\nhttps://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering\r\nPage 2 of 4\n\nControl servers\r\nThe WMI queries collect system-related data. The following parameters are collected and Base64 encoded before\r\nposting to the control servers:\r\nHash of volume serial number\r\nComputer name\r\nIP address\r\nCurrent username\r\nOperating system\r\nProxy server\r\nThe JavaScript backdoor connects to a gateway that receives additional commands from the attacker. Some of the\r\ncontrol servers:\r\nhxxp://humans.mooo[.]info/common[.]php\r\nhxxp://mines.port0[.]org/common[.]php\r\nhxxp://eholidays.mooo[.]com/common[.]php\r\nOne of the attacker’s first actions is to profile the infected host by executing commands that display a list of\r\ndomains, computers, or resources shared by the specified computer (using the net view command). This is\r\nfollowed by gathering more information about the files on the desktop and other drives. An attacker can use this\r\ninformation for further lateral movement. All the data is posted to the control server as Base64-encoded data.\r\nhttps://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering\r\nPage 3 of 4\n\nDetection\r\nDefending against these highly targeted social-engineering attacks involves a human element. Although technical\r\ncontrols mitigate the risks, it’s imperative that organizations establish policies to help employees spot suspicious\r\nevents.\r\nMcAfee Advanced Threat Defense provides zero-day protection against this attack based on its behavior.\r\nThe following Yara rule detects the OLE attack vector:\r\nrule APT_OLE_JSRat\r\n{\r\nmeta:\r\nauthor = “Rahul Mohandas”\r\nDate = “2015-06-16″\r\nDescription = “Targeted attack using Excel/word documents”\r\nstrings:\r\n$header = {D0 CF 11 E0 A1 B1 1A E1}\r\n$key1 = “AAAAAAAAAA”\r\n$key2 = “Base64Str” nocase\r\n$key3 = “DeleteFile” nocase\r\n$key4 = “Scripting.FileSystemObject” nocase\r\ncondition:\r\n$header at 0 and (all of ($key*) )\r\n}\r\nI thank my colleague Kumaraguru Velmurugan of the Advanced Threat Defense Group for his invaluable\r\nassistance.\r\nSource: https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering\r\nhttps://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering"
	],
	"report_names": [
		"1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering"
	],
	"threat_actors": [],
	"ts_created_at": 1775434730,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7f20b1adcb2c99d26b438799650eb3e2771b5e76.pdf",
		"text": "https://archive.orkl.eu/7f20b1adcb2c99d26b438799650eb3e2771b5e76.txt",
		"img": "https://archive.orkl.eu/7f20b1adcb2c99d26b438799650eb3e2771b5e76.jpg"
	}
}