Sunday, May 25, 2025
HomeCVE/vulnerabilityThreat Actors Weaponize Excel Files To Attack Windows Machines

Threat Actors Weaponize Excel Files To Attack Windows Machines

Published on

SIEM as a Service

Follow Us on Google News

Attackers are using malicious Excel files with VBA macros to deploy DLLs and ultimately install Cobalt Strike on compromised Windows machines, which use obfuscation and target specific processes to avoid detection by antivirus software. 

The attacks appear to target Ukrainian systems and leverage geopolitical themes as lures,  highlighting a trend of increasingly complex and frequent attacks, especially during times of tension. 

Attack flow

A malicious Excel document targets Ukrainian users by exploiting disabled macros, where the document displays a fake security warning urging users to enable macros, which supposedly unlocks a military budget calculation sheet. Once enabled, a VBA macro deploys a HEX-encoded DLL downloader.

- Advertisement - Google News

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The macro decodes the downloader, saves it to a hidden folder, and creates a shortcut that uses regsvr32 to execute the downloaded DLL, which aims to bypass string detection and establish malicious functionality on the compromised system. 

Excel document after enabling VBA

The malware downloader, obfuscated by ConfuserEx, first checks for running processes associated with analysis tools or antivirus software and terminates itself if any are found. 

It then retrieves the next stage payload from a geo-restricted URL, and if the device is in Ukraine, it downloads the payload (an SVG file), decodes it with a hardcoded key using XOR, and saves it to the TEMP folder. 

It executes the decoded payload (a.NET DLL) using rundll32.exe and deletes it to avoid detection.

The DLL decrypts another payload using RC4 and writes it to a specific location. It also adds a registry key to ensure persistence and launches the newly written file. 

Execute the “ResetEngine.dll”

ResetEngine.dll, a core component for malicious activity, uses NtDelayExecution to bypass sandbox detection, searches for processes, attempts to terminate parent processes to prevent debugging, and then decrypts the final payload using an AES algorithm

Finally, ResetEngine.dll injects the decrypted payload into itself and leverages various Windows APIs to execute the Cobalt Strike malware, including GetCurrentProcessId, OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, and WaitForSingleObject. 

 Writing Cobalt Strike into memory

Malware researchers at Fortinet discovered a multi-stage attack campaign targeting Ukraine.

The attack leverages VBA macros with encoded configuration strings to download malicious payloads, and the configuration is XOR-encoded and contains Cobalt Strike C2 server URLs. 

The attackers use location-based checks to evade detection and deploy a DLL injector that delays execution and terminates parent processes to bypass sandboxing and anti-debugging, which leads to the deployment of Cobalt Strike beacons for further compromise. 

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...