{ "id": "2a9d31f0-bfd8-486d-814b-30e4c917b63e", "created_at": "2026-04-06T00:12:38.02238Z", "updated_at": "2026-04-10T13:11:24.610032Z", "deleted_at": null, "sha1_hash": "df5e9b3592dc787063617de7c7650b4f82d37c9b", "title": "“Cyber Conflict” Decoy Document Used In Real Cyber Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 561933, "plain_text": "“Cyber Conflict” Decoy Document Used In Real Cyber Conflict\r\nBy Paul Rascagneres\r\nPublished: 2017-10-22 · Archived: 2026-04-05 13:15:20 UTC\r\nSunday, October 22, 2017 12:22\r\nUpdate 10/23: CCDCOE released a statement today on their website\r\nIntroduction\r\nCisco Talos discovered a new malicious campaign from the well known actor Group 74 (aka Tsar Team, Sofacy,\r\nAPT28, Fancy Bear…). Ironically the decoy document is a deceptive flyer relating to the Cyber Conflict U.S.\r\nconference. CyCon US is a collaborative effort between the Army Cyber Institute at the United States Military\r\nAcademy and the NATO Cooperative Cyber Military Academy and the NATO Cooperative Cyber Defence Centre\r\nof Excellence. Due to the nature of this document, we assume that this campaign targets people with an interest in\r\ncyber security. Unlike previous campaigns from this actor, the flyer does not contain an Office exploit or a 0-day,\r\nit simply contains a malicious Visual Basic for Applications (VBA) macro.\r\nThe VBA drops and executes a new variant of Seduploader. This reconnaissance malware has been used by Group\r\n74 for years and it is composed of 2 files: a dropper and a payload. The dropper and the payload are quite similar\r\nto the previous versions but the author modified some public information such as MUTEX name, obfuscation\r\nkeys... We assume that these modifications were performed to avoid detection based on public IOCs.\r\nThe article describes the malicious document and the Seduploader reconnaissance malware, especially the\r\ndifference with the previous versions.\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 1 of 9\n\nMalicious Office Document\r\nDecoy Document\r\nThe decoy document is a flyer concerning the Cyber Conflict U.S. conference with the following filename\r\nConference_on_Cyber_Conflict.doc. It contains 2 pages with the logo of the organizer and the sponsors:\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 2 of 9\n\nDue to the nature of the document, we assume that the targeted people are linked or interested by the cybersecurity\r\nlandscape. The exact content of the document can be found online on the conference website. The attackers\r\nprobably copy/pasted it into Word to create the malicious document.\r\nVBA\r\nThe Office document contains a VBA script. Here is the code:\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 3 of 9\n\nThe goal of this code is to get information from the properties of the document (\"Subject\", \"Company\",\r\n\"Category\", \"Hyperlink base\" and finally \"Comments\"). Some of this information can be directly extracted from\r\nthe Windows explorer by looking at the properties of the file. The \"Hyperlink Base\" must be extracted using\r\nanother tool, strings is capable of obtaining this by looking for long strings. Pay close attention to the contents of\r\nthese fields as they appear base64 encoded.\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 4 of 9\n\nThis extracted information is concatenated together to make a single variable. This variable is decoded with the\r\nbase64 algorithm in order to get a Windows library (PE file) which is written to disk. The file is named netwf.dat.\r\nOn the next step this file is executed by rundll32.exe via the KlpSvc export. We see that this file drops 2 additional\r\nfiles: netwf.bat and netwf.dll. The final part of the VBA script changes the properties of these two files, setting\r\ntheir attributes to Hidden. We can also see 2 VBA variable names: PathPld, probably for Path Payload, and\r\nPathPldBt, for Path Payload Batch.\r\nSeduploader Variant\r\nDropper Analysis\r\nAs opposed to previous campaigns performed by this actor, this latest version does not contain privilege escalation\r\nand it simply executes the payload and configures persistence mechanisms. The dropper installs 2 files:\r\nnetwf.bat : executes netwf.dll\r\nnetwf.dll : the payload\r\nThe dropper implements 2 persistence mechanisms:\r\nHKCU\\Environment\\UserInitMprLogonScript to execute the netwf.bat file\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 5 of 9\n\nCOM Object hijack of the following CLSID: {BCDE0395-E52F-467C-8E3D-C4579291692E}, the CLSID\r\nof the class MMDeviceEnumerator.\r\nThese 2 techniques have also been previously used by this actor.\r\nFinally the payload is executed by rundll32.exe (and the ordinal #1 in argument) or by explorer.exe if the COM\r\nObject hijack is performed. In this case, explorer.exe will instance the MMDeviceEnumerator class and will\r\nexecute the payload.\r\nPayload Analysis\r\nThe payload features are similar to the previous versions of Seduploader. We can compare it to the sample\r\ne338d49c270baf64363879e5eecb8fa6bdde8ad9 used in May 2017 by Group 74. Of the 195 functions of the new\r\nsample, 149 are strictly identical, 16 match at 90% and 2 match at 80%:\r\nIn the previous campaign where adversaries used Office document exploits as an infection vector, the payload was\r\nexecuted in the Office word process. In this campaign, adversaries did not use any exploit. Instead,the payload is\r\nexecuted in standalone mode by rundll32.exe.\r\nAdversaries also changed some constants, such as the XOR key used in the previous version. The key in our\r\nversion is:\r\nkey=b\"\\x08\\x7A\\x05\\x04\\x60\\x7c\\x3e\\x3c\\x5d\\x0b\\x18\\x3c\\x55\\x64\"\r\nThe MUTEX name is different too: FG00nxojVs4gLBnwKc7HhmdK0h\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 6 of 9\n\nHere are some of the Seduploader features:\r\nScreenshot capture (with the GDI API);\r\ndata/configuration exfiltration;\r\nExecution of code;\r\nFile downloading;\r\nThe Command \u0026 Control (CC) of the analysed sample is myinvestgroup[.]com. During the investigation,\r\nthe server did not provide any configuration to the infected machines. Based on the metadata of the Office\r\ndocuments and the PE files, the attackers had created the file on Wednesday, the 4th of October. We can\r\nsee, in Cisco Umbrella, a peak in activities 3 days later, Saturday the 7th of October:\r\nConclusion\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 7 of 9\n\nAnalysis of this campaign shows us once more that attackers are creative and use the news to compromise the\r\ntargets. This campaign has most likely been created to allow the targeting of people linked to or interested by\r\ncybersecurity, so probably the people who are more sensitive to cybersecurity threats. In this case, Group 74 did\r\nnot use an exploit or any 0-day but simply used scripting language embedded within the Microsoft Office\r\ndocument. Due to this change, the fundamental compromise mechanism is different as the payload is executed in a\r\nstandalone mode. The reasons for this are unknown, but, we could suggest that they did not want to utilize any\r\nexploits to ensure they remained viable for any other operations. Actors will often not use exploits due to the fact\r\nthat researchers can find and eventually patch these which renders the actors weaponized platforms defunct.\r\nAdditionally the author did some small updates after publications from the security community, again this is\r\ncommon for actors of this sophisticated nature, once their campaigns have been exposed they will often try to\r\nchange tooling to ensure better avoidance. For example the actor changed the XOR key and the MUTEX name.\r\nWe assume that these modifications were performed in order to avoid detection based on public IOCs.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such asNGFW,NGIPS, andMeraki MX can detect malicious activity associated with\r\nthis threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 8 of 9\n\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIOCs\r\nFiles\r\nOffice Documents:\r\nc4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f\r\ne5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae\r\nefb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52 Seduploader Dropper:\r\n522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805 Sedupload Payload:\r\nef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18\r\nNetworks\r\nCC:\r\nmyinvestgroup[.]com\r\nSource: https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nhttps://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" ], "report_names": [ "cyber-conflict-decoy-document.html" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434358, "ts_updated_at": 1775826684, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/df5e9b3592dc787063617de7c7650b4f82d37c9b.pdf", "text": "https://archive.orkl.eu/df5e9b3592dc787063617de7c7650b4f82d37c9b.txt", "img": "https://archive.orkl.eu/df5e9b3592dc787063617de7c7650b4f82d37c9b.jpg" } }