{ "id": "6682e2ab-742f-4c64-80e4-534eb5d60951", "created_at": "2026-04-06T00:13:19.766924Z", "updated_at": "2026-04-10T03:34:16.74733Z", "deleted_at": null, "sha1_hash": "f674901f61291fdb5d3509566488b1e01d7b39f6", "title": "DoppelDridex Delivered via Slack and Discord", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1236804, "plain_text": "DoppelDridex Delivered via Slack and Discord\r\nPublished: 2021-09-27 · Archived: 2026-04-05 21:22:52 UTC\r\nSummary\r\nSeveral recent phishing campaigns have attempted to deliver a variant of the Dridex banking trojan via payloads staged on\r\nSlack and Discord CDNs. This is DoppelDridex, a modified variant of original Dridex malware. It is operated by the\r\nfinancially motivate eCrime adversary tracked as DOPPEL SPIDER. Additional tooling is often delivered as a secondary\r\npayload such as Cobalt Strike, which may be leveraged for further remote access, lateral movement, and preparation for\r\ndeployment of Grief ransomware.\r\nThe recent campaigns delivering this malware variant have used a technique that leverages attachments with the Excel 4.0\r\nsheet-style macros to fetch the initial payload that is hosted on domains of popular messaging CDNs such as\r\ndiscordapp[.]com and files.slack[.]com. These sites are likely attractive for threat actors to stage payloads because they may\r\nbe trusted or allowlisted by proxies or other network-based controls. The maldocs in the phishing campaigns are also\r\ncommonly built in the Microsoft Excel Binary Format (XLSB), which can cause problems for some tools designed for\r\nautomated analysis.\r\nIn this blog, I will review a recent sample of a DoppelDridex Excel maldoc with .xlsb extension, and examine some\r\nanalytical approaches to extracting useful information in the form of TTPs and IOCs.\r\nDelivery and Infection Chain\r\nThe maldocs in these campaigns are delivered as attachments to emails that commonly leverage an invoice-based or tax\r\nthemed social engineering lure. If the user enables contented, the sheet macro is executed. The macro code is contains series\r\nof two obfuscated HTML documents that execute embedded VBScript to retrieve the the DoppelDridex payloads from\r\nadversary-controlled infrastructure hosted by the Slack and Discord CDNs. Two files are written to the ProgramData\r\ndirectory. The first, is an embedded HTML document extracted from the sheet macro, which is written to ‘C:\\ProgramData\\\r\n[random name].rtf’. and ran via an mhta.exe process. This .rtf contains an obfuscated array, which decodes to another\r\nHTML document. The second HTML contains lightly obfuscated VBScript and is responsible for launching a shell object\r\nwhich then loads the main DoppelDridex payload–ultimately written to disk in ‘C:\\ProgramData\\defdoc.png’ and then\r\nexecuted by a rundll32.exe process.\r\nDoppelDridex infection chain\r\nStatic Sample Analysis\r\nSHA256: 91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55 (VT LINK)\r\nThe maldoc downloader is an example of an Excel document weaponized with Excel 4.0 (XLM) sheet-style macros–which\r\nhave been popular for a couple of years now. This type of macro is an older standard by Microsoft that has been essentially\r\ndeprecated in favor of VBA macros. However, all versions of Excel possess the capability of running Excel 4.0 macros, their\r\nuse is simply discouraged. So, Excel 4.0 macros (a 20+ year standard) still work, and their functional use as a malware\r\nloader is intended for defense evasion. With sheet macros, instead of being contained in the OLE stream of a file, the code\r\nstrings are simply broken up in various cells within the spreadsheet.\r\nhttps://security-soup.net/doppeldridex-delivered-via-slack-and-discord/\r\nPage 1 of 5\n\nHidden Sheet Macros\r\nThis can theoretically bypass detection mechanisms that are solely based on detecting compressed VBA within an OLE\r\nstream. When attempting to analyze the Excel 4.0 macro there are several options for extracting them. You could of course\r\ntrack the code execution throughout all of the cells, but this is not a practical as there a several cells that reference each other\r\nalong with string/integer manipulation that would need to be processed. In these cases, it is not worth spending any\r\nadditional time analyzing the document manually and automated tools should be used.\r\nSheet macro cells\r\nI have two go-to tools that do not require opening and interacting with the file directly. The first I typically try running is the\r\noledump.py tool from Didier Stevens. This tool has a plugin developed specifically for sheet macros that are stored in the\r\nmore common .xls or .xlsx formats, which will recognize these files and extract the macros from the BIFF record (Binary\r\nInterchange File Format) inside the OLE “Workbook” stream. The BIFF record is a very old file format that pre-dates the\r\nXLS format, and the use of OLE binary data. By using the BIFF plugin, the tool will then dump all of the BIFF records in\r\nthe stream. This works well on XLS format, but appears to be problematic with XLSB.\r\nI also like Decalage‘s olevba for this type of analysis. Both tools are extremely useful for analyzing the OLE streams in\r\ndocuments weaponized with VBA macros. In this case, the XLSB caused me some problems with as the file format being\r\nXLSB there are literally no OLE steams to be analyzed, so the macros were not identified by my preferred tooling.\r\nissues for automated analysis\r\nhttps://security-soup.net/doppeldridex-delivered-via-slack-and-discord/\r\nPage 2 of 5\n\nUnfortunately, since this file is is .xlsb, neither tool are able to recognize the file or identify the macros. Of course in this\r\ncase, we have the advantage of knowing there is definitely a macro contained in the maldoc. There are very many cell values\r\nand/or string values that perform malicious operations when a victim enables content.\r\nSince both of my tried and true methods were not effective, I turned to alternative tool from DissectMalware called\r\nXLMMacroDeobfuscator. This tool uses an internal XLM emulator that is able to parse the macros without the need to\r\nactually run the code itself. Below you can see that deobfuscator not only identifies the macros, but interprets the code\r\nexecution, effectively stripping out the obfuscation. This way, the URLs that are hosting the initial DoppelDridex payload on\r\ncdn.discordapp[.]com and files.slack[.]com can be easily extracted.\r\nsuccesful extraction with XLMMacroDeobfuscator\r\nThe XLMMacroDeobfuscator also identifies another segment of the HTML file that is of particular interest for the next\r\nstage execution. Here, I was able to identify a large block of integers that had been assigned to an array. The key to decoding\r\nthis block is by looping through the array and then subtracting “1022” from each integer. I was able to get this key from a\r\nline below the code block:\r\n RKzEcSN = RKzEcSN \u0026 Chr(Round(VYITkd - 1022,0))\r\nIf you look closely the “VYITkd” variable is iterated through in the array via a For Each statement.\r\nThe good new is that we can use this same logic to decode this array quickly and safely. I whipped up a quick Python script\r\nto handle this operation as this was likely the fastest and easiest method. The script itself isn’t anything fancy, but it got the\r\njob done. I basically just needed to loop through the array, subtract “1022”, and then convert the resulting integer value from\r\ndecimal to ascii format. Then by joining those results, I was able to get the second layer of HTML code. The Python script I\r\nused to decode the array can be found on my GitHub here:\r\nhttps://security-soup.net/doppeldridex-delivered-via-slack-and-discord/\r\nPage 3 of 5\n\ndecoding the array with Python\r\nThe final command here in the stage of the infection chain simply creates a new object and leverages a wmic process to\r\nlaunch rundll32 which loads the DoppelDridex DLL, which was previously downloaded as a PNG file. To recap, the\r\ncommands that can be leveraged for detection are:\r\nwmic process call create ‘mshta C:\\ProgramData\\[RANDOM].rtf’\r\nwmic process call create \"rundll32.exe C:\\\\ProgramData\\defdoc.png\"\r\nMore details on this maldoc can be found at the VT link provided above or the Joe Sandbox report here.\r\nConclusion\r\nDoppelSpider has consistently leveraged both Discord and Slack to deliver DoppelDridex payloads to victims in recent\r\nweeks. Search for the following Dridex tags on URLhaus, and it is evident that the usage of Slack appears to ebb and flow,\r\nbut Discord appears to be a preferred platform to stage their payloads. If your organization doesn’t require connection to\r\nthese CDNs, you might want to consider outright blocking them at your network perimeter if there is no business\r\njustification for those connections. These campaigns also consistently utilize the XLSB file format that may cause some\r\nproblems for automation that relies on identifying malicious content in OLE steams. Despite this, static analysis can be\r\naccomplished with tools that can emulate the macros in the XLSB document type, which easily extract the embedded IOCs.\r\nTechnical controls at the mail gateway typically have very high success rates for defeating commodity malware delivered in\r\nopportunistic campaigns. The EXCEL 4.0/XLM macros in the maldocs with XLSB format may evade detection for similar\r\nreasons as noted above. The TTPs presented here can provide some additional detection opportunities for a layered defense\r\nstrategy. I have also presented some analysis techniques that can be used in response efforts to quickly identify and extract\r\nIOCs when needed. This campaign is a few days old of the time of this writing, however, the TTPs should still be relevant.\r\nIOCs\r\nDelivery Maldoc SHA256: 91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55\r\nDoppelDridex DLL SHA256: acbcd5ce1579a43148eee9b867f035cd0bc16f237a4790322467a0dac23ce7c6\r\nDoppelDridex DLL SHA256: a6aaa4ffb112d78aa20345821920ce6554d96303f7fb3facb5143de348cf2aae\r\nhxxps[:]//cdn.discordapp[.]com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dll\r\nhxxps[:]//cdn.discordapp[.]com/attachments/890212086519566369/890212251435425862/0_system.componentmodel.composition.registra\r\nhxxps[:]//cdn.discordapp[.]com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dll\r\nhxxps[:]//files.slack[.]com/files-pri/T02F79UM6TT-F02F9AE9ZJ6/download/3_SmiEngine?pub_secret=4e9eeb9360\r\nhttps://security-soup.net/doppeldridex-delivered-via-slack-and-discord/\r\nPage 4 of 5\n\nhxxps[:]//files.slack[.]com/files-pri/T02ERNYLC69-F02F9AG9CEN/download/6_hpzstw72?pub_secret=356a094b3b\r\nhxxps[:]//files.slack[.]com/files-pri/T02EHM1BB19-F02FFGMT84C/download/6_hpzstw72?pub_secret=009a86b011\r\nReferences\r\nhttps://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/\r\nhttps://redcanary.com/blog/grief-ransomware/\r\nhttps://www.virustotal.com/gui/file/91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55/community\r\nhttps://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xlsb/acc8aa92-1f02-4167-99f5-84f9f676b95a\r\nhttps://support.microsoft.com/en-us/office/working-with-excel-4-0-macros-ba8924d4-e157-4bb2-8d76-2c07ff02e0b8?\r\nocmsassetid=ha010336614\u0026correlationid=2aa46e64-978f-4d6a-bf7d-950ab12599a1\u0026ui=en-us\u0026rs=en-us\u0026ad=us\r\nhttps://www.virustotal.com/gui/file/91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55/community\r\nhttps://www.decalage.info/python/olevba\r\nhttps://github.com/DissectMalware\r\nhttps://github.com/DissectMalware/XLMMacroDeobfuscator\r\nhttps://github.com/Sec-Soup/Python-ToolBox/tree/master/array-decoder_2\r\nhttps://www.joesandbox.com/analysis/488098/0/html\r\nhttps://urlhaus.abuse.ch/browse/tag/Dridex/\r\nSource: https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/\r\nhttps://security-soup.net/doppeldridex-delivered-via-slack-and-discord/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/" ], "report_names": [ "doppeldridex-delivered-via-slack-and-discord" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ccd0f6b5-6d20-4d28-9796-88ab6deb4087", "created_at": "2024-06-19T02:03:08.067518Z", "updated_at": "2026-04-10T02:00:03.671628Z", "deleted_at": null, "main_name": "GOLD HERON", "aliases": [ "Doppel Spider " ], "source_name": "Secureworks:GOLD HERON", "tools": [ "Cobalt Strike", "DoppelPaymer", "Dridex", "Grief", "PowerShell Empire" ], "source_id": "Secureworks", "reports": null }, { "id": "a0d0e1ef-3562-40a8-a021-321db92644d9", "created_at": "2023-01-06T13:46:39.104046Z", "updated_at": "2026-04-10T02:00:03.2146Z", "deleted_at": null, "main_name": "DOPPEL SPIDER", "aliases": [ "GOLD HERON" ], "source_name": "MISPGALAXY:DOPPEL SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d555c5da-abe4-42aa-a8cf-77b68905891a", "created_at": "2022-10-25T16:07:23.548385Z", "updated_at": "2026-04-10T02:00:04.65211Z", "deleted_at": null, "main_name": "Doppel Spider", "aliases": [ "Gold Heron", "Grief Group" ], "source_name": "ETDA:Doppel Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DoppelPaymer", "Pay OR Grief", "Pay or Grief", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434399, "ts_updated_at": 1775792056, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f674901f61291fdb5d3509566488b1e01d7b39f6.pdf", "text": "https://archive.orkl.eu/f674901f61291fdb5d3509566488b1e01d7b39f6.txt", "img": "https://archive.orkl.eu/f674901f61291fdb5d3509566488b1e01d7b39f6.jpg" } }