{ "id": "b36f5ee2-3c0b-45d2-8a76-1449d33d53ac", "created_at": "2026-04-06T00:20:01.065979Z", "updated_at": "2026-04-10T03:37:50.733826Z", "deleted_at": null, "sha1_hash": "f3e4011c466e5c65fb3e975a97a07434c16ff922", "title": "Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 277296, "plain_text": "Hackers Exploited MSHTML Flaw to Spy on Government and\r\nDefense Targets\r\nBy The Hacker News\r\nPublished: 2022-01-25 · Archived: 2026-04-05 16:32:32 UTC\r\nCybersecurity researchers on Tuesday took the wraps off a multi-stage espionage campaign targeting high-ranking\r\ngovernment officials overseeing national security policy and individuals in the defense industry in Western Asia.\r\nThe attack is unique as it leverages Microsoft OneDrive as a command-and-control (C2) server and is split into as\r\nmany as six stages to stay as hidden as possible, Trellix — a new company created following the merger of\r\nsecurity firms McAfee Enterprise and FireEye — said in a report shared with The Hacker News.\r\n\"This type of communication allows the malware to go unnoticed in the victims' systems since it will only connect\r\nto legitimate Microsoft domains and won't show any suspicious network traffic,\" Trellix explained.\r\nFirst signs of activity associated with the covert operation are said to have commenced as early as June 18, 2021,\r\nwith two victims reported on September 21 and 29, followed by 17 more in a short span of three days between\r\nOctober 6 and 8.\r\nhttps://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html\r\nPage 1 of 2\n\n\"The attack is particularly unique due to the prominence of its victims, the use of a recent [security flaw], and the\r\nuse of an attack technique that the team had not seen before,\" Christiaan Beek, lead scientist at Trellix, said. \"The\r\nobjective was clearly espionage.\"\r\nTrellix attributed the sophisticated attacks with moderate confidence to the Russia-based APT28 group, also\r\ntracked under the monikers Sofacy, Strontium, Fancy Bear, and Sednit, based on similarities in the source code as\r\nwell as in the attack indicators and geopolitical objectives.\r\n\"We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware\r\ncoding and operation were set up,\" Trellix security researcher Marc Elias said.\r\nThe infection chain begins with the execution of a Microsoft Excel file containing an exploit for the MSHTML\r\nremote code execution vulnerability (CVE-2021-40444), which is used to run a malicious binary that acts as the\r\ndownloader for a third-stage malware dubbed Graphite.\r\nThe DLL executable uses OneDrive as the C2 server via the Microsoft Graph API to retrieve additional stager\r\nmalware that ultimately downloads and executes Empire, an open-source PowerShell-based post-exploitation\r\nframework widely abused by threat actors for follow-on activities.\r\n\"Using the Microsoft OneDrive as a command-and-control Server mechanism was a surprise, a novel way of\r\nquickly interacting with the infected machines by dragging the encrypted commands into the victim's folders,\"\r\nBeek explained. \"Next OneDrive would sync with the victim’s machines and encrypted commands being\r\nexecuted, whereafter the requested info was encrypted and sent back to the OneDrive of the attacker.\"\r\nIf anything, the development marks the continued exploitation of the MSTHML rendering engine flaw,\r\nwith Microsoft and SafeBreach Labs disclosing multiple campaigns that have weaponized the vulnerability to\r\nplant malware and distribute custom Cobalt Strike Beacon loaders.\r\n\"The main takeaway is to highlight the level of access threat campaigns, and in particular how capable threat\r\nactors are able to permeate the most senior levels of government,\" Raj Samani, chief scientist and fellow at Trellix\r\ntold The Hacker News. \"It is of paramount importance that security practitioners tasked with protecting such high\r\nvalue systems consider additional security measures to prevent, detect and remediate against such hostile actions.\"\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html\r\nhttps://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://thehackernews.com/2022/01/hackers-exploited-mshtml-flaw-to-spy-on.html" ], "report_names": [ "hackers-exploited-mshtml-flaw-to-spy-on.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434801, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f3e4011c466e5c65fb3e975a97a07434c16ff922.pdf", "text": "https://archive.orkl.eu/f3e4011c466e5c65fb3e975a97a07434c16ff922.txt", "img": "https://archive.orkl.eu/f3e4011c466e5c65fb3e975a97a07434c16ff922.jpg" } }