September 6, 2024 By Jeffrey Burt
Hackers are abusing a legitimate tool used by organizations’ red teams to deliver malicious payloads, including a new variant of the remote access trojan (RAT) PhantomCore, which was created by a Ukrainian hacktivist group called Head Mare to run cyberespionage campaigns against government offices and businesses in Russia.
Red teams use the MacroPack payload generator framework in simulated cyberattacks to test the security of their organizations’ IT systems. However, threat actors also are using it for their nefarious operations, according to a researcher with Cisco’s Talos threat intelligence unit.
MacroPack was developed by French developer Emeric Nasi.
Talos detected several Microsoft Office documents that were uploaded to VirusTotal by multiple bad actors between May and July that were created by a version of MacroPack. The latest documents were uploaded from different sources from the United States, China, Russia, and Pakistan, among other countries, Vanja Svajcer, outreach researcher for Talos, wrote in a report this week.
