PowerPoint Malware

APT28 (aka Fancy Bear), a Russian state-sponsored threat actor, has been discovered using a new code execution method that uses mouse movement in decoy Microsoft PowerPoint documents to deploy malware.

PowerPoint Malware
PowerPoint Malware

Security company Cluster25 claimed in a technical paper that the method is intended to be activated when the user starts presentation mode and moves the mouse. This PowerShell script then downloads and runs a OneDrive dropper through code execution.

The dropper, which appears to be a harmless image file, serves as a conduit for a follow-on payload, a variant of Graphite malware that uses the Microsoft Graph API and OneDrive for command-and-control (C2) communications to retrieve additional payloads.

NEXT MASTERCLASS Cyber Security On A Budget: Protect Your Small Business From Hackers

The attack uses a decoy document possibly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization based in Paris.

Cluster25 speculated that the attacks may still be ongoing, given that the URLs used appeared active in August and September, despite the hackers have laid the groundwork for the campaign in January and February.

The company added that potential targets of the operation include entities and individuals working in the defence and government sectors of Europe and Eastern Europe, citing an analysis of geopolitical objectives and the gathered artifacts.

This is not the first time the antagonistic collective has used Graphite. Trellix disclosed a similar attack chain in January 2022 that used the MSHTML remote code execution vulnerability (CVE-2021-40444) to drop the backdoor.

The development indicates that APT28 (aka Fancy Bear) is continuing to hone its technical tradecraft and evolve its methods for maximum impact as previously viable exploitation routes (e.g., macros) cease to be profitable.


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center