Thursday, May 15, 2025
HomeCyber Security NewsShuckworm Group uses Weaponized Word Document to Infect Victims Computer

Shuckworm Group uses Weaponized Word Document to Infect Victims Computer

Published on

SIEM as a Service

Follow Us on Google News

Symantec’s Threat Hunter team has recently discovered a hacking group which is dubbed as Shuckworm that has its root links with Russia using weaponized word documents to infect their targets’ computers in Ukraine.

This Russian-linked hacking group, Shuckworm, has been active since 2013, and it’s mainly specialized in operating cyber-espionage campaigns against the entities in Ukraine. While this group has other names and here they are:-

  • Gamaredon
  • Armageddon

The Shuckworm hacking group is believed to be operating directly from the Russian FSB (Federal Security Service). The operators of Shuckworm use phishing emails to distribute the following things:-

- Advertisement - Google News
  • Remote Manipulator System (RMS)
  • UltraVNC
  • Pterodo/Pteranodon (Customized malware)

However, in recent times this group has sophisticatedly developed all its TTPs and used them to steal their victims’ credentials and infect the network to move laterally.

Files used by Shuckworm

The hackers spotted using seven files in their recent attacks, and all seven files are 7-zip SFX self-extracting binaries. Here are files used by the hackers:-

  • descend.exe: Runs to save a VBS file to “% USERPROFILE% \ Downloads \ deerbrook.ppt” and “% PUBLIC% \ Pictures \ deerbrook.ppt”
  • deep-sunken.exe: Runs to drop four more files on the compromised computer.
  • z4z05jn4.egf.exe: Throws the files in different folders and then uses different file names.
  • defiant.exe: Runs to save VBS files to “% TEMP% \\ deep-versed.nls” and “% PUBLIC \ Pictures \ deep-versed.nls”
  • deep-green.exe: UltraVNC remote management tool
  • deep-green.exe: Process Explorer is a freeware task manager and system monitor for Microsoft Windows.
  • deep-green.exe: Throws the files in different folders and then uses different file names.
  • deep-green.exe: Removes VBS on “% PUBLIC% \ Music \”

On the compromised machine, a number of documents were opened from several locations before the VNC client installation to create confusion and increase the complexity. 

As doing so helps the threat actors to collect and exfiltrate sensitive information from the compromised system of their target. Moreover, the documents that are accessed by the threat actors range from job descriptions to sensitive information.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Coinbase Data Breach – Customers Personal Info, Government‑ID & Transaction Data Exposed

Coinbase, the largest cryptocurrency exchange in the United States, has disclosed a significant cybersecurity...

Inside Turla’s Uroboros Infrastructure and Tactics Revealed

In a nation-state cyber espionage, a recent static analysis of the Uroboros rootkit, attributed...

CISA Alerts on Five Active Zero-Day Windows Vulnerabilities Being Exploited

Cybersecurity professionals and network defenders, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has...

Intruder vs. Acunetix vs. Attaxion: Comparing Vulnerability Management Solutions

The vulnerability management market is projected to reach US$24.08 billion by 2030, with numerous...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Coinbase Data Breach – Customers Personal Info, Government‑ID & Transaction Data Exposed

Coinbase, the largest cryptocurrency exchange in the United States, has disclosed a significant cybersecurity...

Inside Turla’s Uroboros Infrastructure and Tactics Revealed

In a nation-state cyber espionage, a recent static analysis of the Uroboros rootkit, attributed...

CISA Alerts on Five Active Zero-Day Windows Vulnerabilities Being Exploited

Cybersecurity professionals and network defenders, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has...