Saturday, May 24, 2025
HomeCyber Security NewsWeaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware

Weaponized Excel, OneNote, or PDF Attachments Deliver New WikiLoader Malware

Published on

SIEM as a Service

Follow Us on Google News

The Italian organizations, including tax agencies, were targeted by a new malware downloader delivering banking Trojan.

The new loader malware is presently undergoing active development, employing a diverse array of sophisticated mechanisms to evade detection effectively.

This new loader malware was identified by Proofpoint researchers, and they dubbed it “WikiLoader.” This malware was linked to TA544, known as Ursnif, and targets Italian organizations in multiple campaigns since December 2022.

- Advertisement - Google News

WikiLoader & Campaign Distribution

The sophisticated WikiLoader installs 2nd malware with unique evasion and code implementation for elusive detection and analysis.

Since December 2022, security researchers at Proofpoint found 8 campaigns spreading WikiLoader 2022 via email attachments like:-

  • Excel
  • OneNote
  • PDFs

Moreover, it’s been observed that there are two threat actors actively spreading WikiLoader malware:- 

  • TA544
  • TA551

While the threat group TA544 still uses macro docs for delivering WikiLoader, unlike other cybercriminals. Proofpoint’s initial WikiLoader distribution was seen on 27 Dec 2022. 

Here below, we have mentioned the most notable WikiLoader campaigns:-

  • 27 Dec 2022
  • 8 Feb 2023
  • 11 July 2023

High-volume malicious emails in Italy targeted firms using Excel spoofing Italian Revenue Agency, featuring VBA macros triggering WikiLoader downloader, which was attributed to TA544.

Excel Attachment (Source – ProofPoint)

On 8 Feb 2023, Proofpoint found an updated WikiLoader in an Italian campaign by TA544. VBA-enabled Excel documents led to WikiLoader installing Ursnif with advanced evasion techniques.

Attack Chain

Security analysts marked that TA551 delivered WikiLoader via OneNote attachments with hidden CMD files on 31 March 2023, targeting Italian organizations, and it’s a notable instance with a non-TA544 actor.

While there are some extended malware changes were identified by the cybersecurity analysts in TA544’s high-volume campaign on 11 July 2023.

As they found that the threat actors were using accounting-themed PDFs to deliver WikiLoader via JavaScript.

Threat actors often use packed downloaders for stealth and control. WikiLoader’s first stage is obfuscated with push/jmp instructions, evading analysis tools, and using indirect syscalls to bypass EDR solutions.

Attack Chain (Source – ProofPoint)

The malware used odd paths to mimic compromised hosts, it’s a common tactic by threat actors to use the existing infrastructure without registration.

WikiLoader Evolution

First version – 27 December 2022:-

  • No string encoding within the shellcode layers
  • Structures used for indirect syscalls were simpler 
  • Shellcode layers didn’t contain as much obfuscation
  • Fewer APIs were used within the shellcode layer
  • Potentially one less stage of shellcode
  • The fake domain was manually created rather than via automation 

Second version – 8 February 2023:-

  • Added complexity to the syscall structure
  • Implemented more busy loops
  • Began using encoded strings
  • Started deleting artifacts from the file download

Third version – 11 July 2023:-

  • Strings are still encoded via skip encoding
  • A new technique for implementing indirect syscalls
  • The second filename is pulled via the MQTT protocol rather than reaching the compromised web hosts
  • Cookies are exfiltrated from the loader which contains basic host information
  • Full execution of the loader takes almost an hour given the abundance of busy loops
  • Shellcode stages are written byte by byte via NtWriteVirtualMemory rather than a single pass

IoCs

IoCs (Source – ProofPoint)

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...