{ "id": "6b375575-f829-489d-8ced-dde85e3c2fdb", "created_at": "2026-04-06T00:19:42.741608Z", "updated_at": "2026-04-10T13:13:00.877646Z", "deleted_at": null, "sha1_hash": "cc662469b1ad1ed861a4a842691b08111bace282", "title": "WARZONE RAT – Beware Of The Trojan Malware Stealing Data Triggering From Various Office Documents - Home", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 758682, "plain_text": "WARZONE RAT – Beware Of The Trojan Malware Stealing Data\r\nTriggering From Various Office Documents - Home\r\nBy Ayush Puri\r\nPublished: 2021-07-01 · Archived: 2026-04-05 12:38:44 UTC\r\nWarzone RAT is part of an APT campaign named “Confucius.” Confucius APT is known to target government\r\nsectors of China and a few other South Asian countries. This APT campaign was quite active around January\r\n2021. Warzone RAT first emerged in 2018 as malware-as-a-service (MaaS) and is known for its aggressive use of\r\n“.docx” files as its initial infection vector. The initial payload is known as “Ave Maria Stealer,” which can steal\r\ncredentials and log keystrokes on the victim’s machine. The advanced version of this malware is currently sold in\r\nthe underground market for $22.95 per month and $49.95 for three months. The Warzone creators have an official\r\nwebsite where it’s up for sale.\r\nFigure 1: Warzone website showing selling price\r\nThese are the various features of the RAT mentioned on the website:\r\nRemote Desktop \u0026 Webcam\r\nPrivilege Escalation – UAC Bypass\r\nPassword Recovery\r\nDownload \u0026 Execute.\r\nLive Keylogger\r\nRemote Shell\r\nPersistence\r\nWindows Defender Bypass\r\nWe came across a cracked version of Warzone RAT on GitHub. Here is the screenshot of that repository:\r\nhttps://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/\r\nPage 1 of 6\n\nFigure 2: A cracked version of warzone on GitHub\r\nBased on our research, we confirmed that the threat actor is trying to circumvent attacks with a decoy and\r\nmanipulate users, delivering the next stage payload via template injection technique. In this blog, we are going to\r\ntalk about “.docx” used as an initial attack vector and how it’s delivering its final payload -Warzone RAT.\r\nTechnical Analysis:\r\nFigure 3: Attack Chain\r\nThe various phases of the attack are:\r\nThe victim opens the word document.\r\nThis document further downloads an RTF exploit (CVE-2017-11882).\r\nExploit in RTF is triggered and muka.dll is dropped and executed.\r\nMuka.dll downloads Warzone RAT.\r\nPhase 1:\r\nHere the infection chain starts with a “.docx” file. We can see below the decoy document (Hash:\r\n59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c). This decoy document was crafted by\r\nhttps://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/\r\nPage 2 of 6\n\nattackers to induce the victims.\r\nFigure 4: Screenshot from the “Suparco Vacancy Notification.docx”\r\nhttps://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/\r\nPage 3 of 6\n\nWhile executing, it uses the template injection technique to download the next stage RTF exploit. This exploit\r\ndelivers a dll embedded final payload that connects to the domain to connect to the CNC to download payload\r\nWarzone Rat. We can see from the below image.\r\nFigure 5: Using Template Injection Technique\r\nThe RTF exploit is downloaded through “\\word\\_rels\\settings.xml.rels” file present in document structure using\r\ntemplate injection technique as shown below.\r\nFigure 6:\r\nsettings.xml.rels containing a link to the template\r\nPhase 2:\r\nThe downloaded RTF file (Hash: 686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424)\r\ncontains code that exploits an old vulnerability “CVE-2017-11882”. The flaw resides within equation editor\r\n(EQNEDT32.exe), a component in Microsoft office that inserts or edits object linking and embedding (OLE)\r\nObjects. We found that muka.dll is embedded in an OLE object.\r\nFigure 7:\r\nmuka.dll embedded in an ole object\r\nPhase 3:\r\nhttps://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/\r\nPage 4 of 6\n\nThe embedded muka.dll file (Hash: 1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126)\r\ncontains export function zenu and this dll is used to provide functionalities to other programs. Here is an image\r\nshowing this:\r\nFigure 8: Export directory containing export function zenu\r\nPhase 4:\r\nUpon successful exploitation, the dll connects to a malicious domain (wordupdate.com) which is active nowadays\r\nalso and downloads the final warzone payload.\r\nFigure 9: Requesting access to the malicious domain\r\nThe Warzone payload is saved as update.exe (Hash:\r\n7dd1dba508f4b74d50a22f41f0efe3ff4bc30339e9eef45d390d32de2aa2ca2b).\r\nConclusion:\r\nWarzone RAT exploits a pretty old but popular vulnerability, “CVE-2017-11882,” in Microsoft’s equation editor\r\ncomponent. This RAT works as an Info stealer malware. Attackers typically spread such malware through\r\ndocument files as email attachments. We recommend our customers not to access suspicious emails/attachments\r\nand keep their AV software up-to-date to protect their systems from such complex malware. We detect the initial\r\ninfection vector as well as the final Warzone RAT as XML.Downloader.39387 and Trojan.GenericRI.S16988580\r\nrespectively.\r\nIOCs:\r\nhttps://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/\r\nPage 5 of 6\n\nDOCX:59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c\r\nRTF:686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424\r\nDLL:1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126\r\nEXE:7dd1dba508f4b74d50a22f41f0efe3ff4bc30339e9eef45d390d32de2aa2ca2b\r\nDomains:\r\nrecent.wordupdate.com\r\nwordupdate.com\r\nSource: https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/\r\nhttps://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/" ], "report_names": [ "warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434782, "ts_updated_at": 1775826780, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc662469b1ad1ed861a4a842691b08111bace282.pdf", "text": "https://archive.orkl.eu/cc662469b1ad1ed861a4a842691b08111bace282.txt", "img": "https://archive.orkl.eu/cc662469b1ad1ed861a4a842691b08111bace282.jpg" } }