A new hacker collective is on the rise with its unique way to infiltrate using a PowerPoint feature. The hacker group was identified as Russian state-sponsored “APT28” and is said to be using a new code execution method that leverages the mouse movement in Microsoft PowerPoint to deploy malware via decoyed documents.
According to sources, the mouse movement triggers a backdoor action when the user starts the presentation mode on PowerPoint. The code execution employed in the campaign, according to the Cluster25 researchers, executes a PowerShell script that automatically downloads and launches a dropper from Microsoft OneDrive.
The drop initially appears to be a typical image file with a standard image extension. However, upon opening, it functions like a pathway for a payload. The threat actor then leads the victim to Graphite malware, which uses Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.
Once the victim uses a premade template on PowerPoint, the malware links it back to the Organization for Economic Co-operation and Development (OECD), a Paris-based intergovernmental entity.
The two URLs used by the attackers, which were utilized in a campaign in August and September, were examined by Cluster25 researchers. The investigation revealed that the hackers had begun the groundwork in early 2022 and over the past two months, they have expanded their operations while continuing to run the campaign. The threat actors have mainly targeted organizations and individuals in the government and defense sectors across Europe and Eastern Europe.
The hacker collective dropped the backdoor in their initial attacks by taking advantage of the MSHTML remote code execution vulnerability (CVE-2021-40444). They ran their campaigns in late 2021 and early 2022, deploying the malware in January 2022 to initiate a similar attack.
The group goes by several identities, including the well-known APT28 and Fancy Bear and is becoming an A-grade threat to businesses as it keeps expanding its influence in underground hacking forums. The threat group is expected to use new exploitation techniques as it develops its technical spectrum to carry on its operations within industries and organizations aside from those it has already infiltrated.
These cases reinforce that ATM jackpotting is no longer a niche cybercrime tactic but part of organized financial crime networks.
This signals that DSA enforcement is moving beyond content moderation into deeper operational transparency.
Campaign involving network infiltration, ransomware deployment and phishing operations designed to destabilize essential services in UAE, blocked.
AI fraud, deepfake probes, SME cyber warnings, and ransomware cases highlight rising global risks in this week’s Cyber Express roundup.
French national bank authority confirmed a major data breach affecting 1.2 million bank accounts after a malicious actor stole credentials…
The real success of AI will not only depend on how powerful the technology becomes, but on how safely, fairly,…
This website uses cookies. By continuing to use this website you are giving consent to cookies being used.
Read More