{
	"id": "8395b5ad-04c8-4579-8b9b-5deb3b1c89ca",
	"created_at": "2026-04-06T00:22:17.971039Z",
	"updated_at": "2026-04-10T03:24:39.74684Z",
	"deleted_at": null,
	"sha1_hash": "96bf41fc99f51b2755358ba0e89941dd839572f9",
	"title": "Inception Attackers Target Europe with Year-old Office Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 853675,
	"plain_text": "Inception Attackers Target Europe with Year-old Office\r\nVulnerability\r\nBy Tom Lancaster\r\nPublished: 2018-11-05 · Archived: 2026-04-05 13:59:38 UTC\r\nThe Inception attackers have been active since at least 2014 and have been documented previously by both Blue\r\nCoat and Symantec; historical attacks used custom malware for a variety of platforms, and targeting a range of\r\nindustries,  primarily in Russia, but also around the world. This blog describes attacks against European targets\r\nobserved in October 2018, using CVE-2017-11882 and a new PowerShell backdoor we’re calling\r\nPOWERSHOWER due to the attention to detail in terms of cleaning up after itself, along with the malware being\r\nwritten in PowerShell.\r\nUnit 42 has previously observed attacks from the group in 2017 against government targets in Europe, Russia, and\r\nCentral Asia and expects these to remain the primary regions this threat is seen.\r\nIn the last writeup by Symantec they describe a two-stage spear phishing process used by the Inception attackers,\r\nwhereby the attackers first send a reconnaissance spear phish, and follow this up with a second spear phish\r\ncontaining a remote template, which if loaded delivers a first stage payload.\r\nIn their most recent attacks it appears that only one document is used, but in a way that allows them to not reveal\r\ntheir final payload immediately; however, the use of templates remains the same.\r\nRemote Templates are Great\r\nRemote templates are a feature of Microsoft Word which allow a document to load a template to be used in a\r\ndocument – this template can be externally hosted, either on a file share, or on the internet. The template is then\r\nloaded when the document is opened. The Inception attackers use this feature in a malicious context as shown in\r\nFigure 1 below:\r\nFigure 1. Overview of how the attack takes place.\r\nhttps://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/\r\nPage 1 of 6\n\nUsing a remote template in this way has been a consistent feature of the Inception attackers’ attacks for the past 4\r\nyears and has three main benefits to the attacker:\r\n1. The initial document does not contain any explicitly malicious object, it simply references an external\r\nobject, meaning it should bypass static analysis techniques, an example of how this appears in the\r\ndocument is shown in Figure 2.\r\n2. The attacker has the option to deploy malicious content to the victim based upon initial data received from\r\nthe target, such as Microsoft Word version (sent in the User-Agent) and the IP address of the target, see:\r\nFigure 1.\r\n3. Once the attack is over, and the server hosting the remote template is down, it is difficult for researchers to\r\nanalyze the attack as the remote content is unlikely to be available to them.\r\nFigure 2. Example of how remote templates are referenced in Inception documents.\r\nWhen opened, the documents display decoy content and attempts to fetch a malicious remote payload via HTTP.\r\nThe decoy content is usually copied from media reports, often with political themes in the target regions, some\r\nexamples of decoys observed are shown in Figure 3, including invites to international conferences and news\r\narticles on the current situation in Crimea.\r\nFigure 3. Examples of decoys shown in Inception attacks in 2018. The first is taken from a VGOPAD invitation\r\nsent on Facebook in 2017, the second is from a European Policy center summary.\r\nhttps://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/\r\nPage 2 of 6\n\nOn most occasions the remote server did not return a malicious template, however we recently observed two cases\r\nwhere a malicious template containing two exploits was served. In both cases the template contained exploits for\r\nboth CVE-2012-1856 and CVE-2017-11882, which target vulnerabilities in Word disclosed and patched in 2012\r\nand 2017 respectively.\r\nThe payload for the exploits was VBScript in an OLE package object, which in turn decodes and executes\r\nPOWERSHOWER, a simple PowerShell backdoor.\r\nPOWERSHOWER – Malware that Cleans up After Itself\r\nEarlier, we mentioned that previous attacks were apparently delivered over two spear phishing emails, with the\r\nfirst only being used for reconnaissance. In the latest cases we only observed a single document being sent to the\r\ntargets, with reconnaissance, exploitation, and payload delivery happening on the first attempt.\r\nThe dropped payload, POWERSHOWER, acts as an initial reconnaissance foothold and is almost certainly used\r\nto download and execute a secondary payload with a more complete set of features. By only using this simple\r\nbackdoor to establish a foothold, the attacker can hold back their most sophisticated and complex malware for\r\nlater stages, making them less likely to be detected.\r\nIn a nutshell, POWERSHOWER allows the attacker to:\r\nFingerprint the machine, and upload this information to the initial C\u0026C.\r\nClean up a significant amount of forensic evidence from the dropper process, as we detail below.\r\nRun a secondary payload, if the attacker decides the target machine is sufficiently interesting (based on\r\nanalysis of the system data sent from the first beacon)\r\nPOWERSHOWER Analysis\r\nPOWERSHOWER first checks if Microsoft Word is currently running, if it is, then the malware assumes it is the\r\nfirst run through of the malware and performs the following operations:\r\n1. Writes itself to %AppData%\\Microsoft\\Word\\log.ps1\r\n2. Sets up persistence for this file, using a run key.\r\n3. Adds a registry key so that future powershell.exe instances are spawned off-screen by default – this trick is\r\nexplained here.\r\n4. Kills the Microsoft Word process.\r\n5. Removes all files created during the dropper process, including evidence the original document was\r\nopened, the initial .VBS file, and all temporary files associated with the retrieval of the remote template in\r\nthe IE temporary files directory.\r\n6. Removes all registry entries that are left behind during the dropper process.\r\n7. Collects system information on the infected machine and POSTS it to the C2.\r\nIf Microsoft Word is not running, the malware enters its main communications loop, performing the following\r\nactions in sequence, this loop should only be entered after a reboot of the machine:\r\n1. Collects system information and POSTs it to the C2.\r\nhttps://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/\r\nPage 3 of 6\n\n2. Performs a GET request\r\n3. Based on the status code of the GET request it will branch operations:\r\nIf the status code is not 200, the malware sleeps for a random amount of time between\r\napproximately 25 minutes and 35 minutes, based on a randomly generated number.\r\nIf the status code is 200 the malware expects the response to:\r\nBegin with an “P”; in which case the malware writes the response to disk, presumably to be\r\nexecuted or used in a subsequent command.\r\nBegin with an “O”; in which case the malware assumes the response contains VBS code\r\nwhich is saved to disk, then executed.\r\nIf not beginning with either these characters, it is assumed to be an XML file containing\r\nPowerShell expression, which is written to disk, read into memory, deleted, and then\r\nexecuted.\r\nThe code behind the main C\u0026C loop is shown in Figure 4.\r\nFigure 4. The main C\u0026C loop.\r\nAlthough the malware is simple, it’s fairly effective, giving the attacker options on how to run their next, more\r\nsophisticated, payload.\r\nConclusion\r\nThe Inception attacks continue to mostly stay under the radar, which in part is down to the effort put in by the\r\nattackers to make their attacks harder to analyze. In the latest wave of attacks, they’ve done this through:\r\nUse of remote templates, hindering analysis of historical attacks.\r\nAnti-forensics techniques used during the dropper process to prevent clues as to how the malware was\r\ninstalled - being left on disk or in the registry.\r\nhttps://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/\r\nPage 4 of 6\n\nUse of the new basic POWERSHOWER backdoor as a first stage, making it harder for researchers to get\r\ncopies of more sophisticated payloads used by the attackers.\r\nPalo Alto Networks customers are protected from this threat in the following ways:\r\nWildfire detects all current Inception remote template documents, and the downloaded CVE-2017-11882\r\nRTFs with malware verdicts.\r\nAutoFocus customers can track associated samples with the InceptionRemoteTemplate and PowerShower\r\nTraps blocks all of the files we are aware of that are associated with this campaign.\r\nIndicators of Compromise\r\nRemote Template Documents where we have the matching payload\r\n13de9678279b6ce6d81aeb32c0dd9f7458ad1f92aee17f3e052be9f06d473bed\r\nd547773733abef19f2720d4def2356d62a532f64bcb002fb2b799e9ae39f805f\r\nRemote templates analyzed.\r\n687ee860fd5cd9902b441c26d72788d5a52052d03047a9b071808fc4c53a7e8b\r\n72eb022f395cc15bbe9582ee02f977ea0692932461a8b0bd608d9f0971125999\r\nPowerShower sample\r\n8aef4975d9c51821c4fa8ee1cbfe9c1f4a88c8784427d467ea99b2c1dabe15ae\r\nOther related templates and exploit documents from 2018\r\n49dbcf1fc8d3381e495089f396727a959885c1dd2ab6cd202cf3c4dbd1d27c4f\r\n8b212ee2d65c4da033c39aebaf59cc51ade45f32f4d91d1daa0bd367889f934d\r\ncc64a68ba52283f6cf5521cf75567b3c5b5143f324d37c59906ee63f1bbafcaf\r\n2bcb8a4ddc2150b25a44c292db870124c65687444f96e078f575da69bbf018e0\r\nInfrastructure\r\nFirst Seen IP Context\r\n20th July 2018 51.255.139[.]194 Remote template host\r\n13th August 2018 188.165.62[.]40 Remote template host\r\n10th October 2018 200.122.128[.]208 POWERSHOWER C2\r\n22nd October 2018 108.170.52[.]158 Remote template host\r\nhttps://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/\r\nPage 5 of 6\n\nTable 1 – IP Addresses associated with Inception Remote Template documents\r\nSource: https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/\r\nhttps://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/"
	],
	"report_names": [
		"unit42-inception-attackers-target-europe-year-old-office-vulnerability"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434937,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/96bf41fc99f51b2755358ba0e89941dd839572f9.pdf",
		"text": "https://archive.orkl.eu/96bf41fc99f51b2755358ba0e89941dd839572f9.txt",
		"img": "https://archive.orkl.eu/96bf41fc99f51b2755358ba0e89941dd839572f9.jpg"
	}
}