Are MOUSEISLAND malware procedures mitigated on this host?

This TTP downloads a ZIP file, the ZIP archive holds a Microsoft Word document that contains a macro. If Microsoft Office is installed on the host, the TTP will attempt to open the Word document.

Are MOUSEISLAND malware procedures mitigated on this host?

MOUSEISLAND was listed in CISA's "2021 Top Malware Strains" advisory and has been active since 2019. MOUSEISLAND is classified as a macro downloader. MOUSEISLAND is usually found within the embedded macros of a Microsoft Word document and can download other payloads. The primary delivery method for MOUSEISLAND is phishing.

At a high level, some of MOUSEISLAND capabilities are:

  • Initial access - Usually delivered in phishing emails as a malicious attachment.
  • Execution - Malicious Office files are executed to initiate additional stages or run a payload.
    This TTP was designed to emulate MOUSEISLAND's execution capabilities. Microsoft Defender may flag this TTP as TrojanDownloader:O97M/Donoff.PL.


Execute Are MOUSEISLAND malware procedures mitigated on this host? in Operator on each host in your environment to test if you are vulnerable.

This TTP will download a zip file containing an MS Word document with a macro. If 7zip is installed, the TTP will download a password-protected archive and extract the Word document using the password (prelude). If 7zip is not installed, the TTP will download a zip that is not password-protected and use Expand-Archive to extract the file. A new directory, Documents, is created in $env:temp. The TTP will perform a conditional check to verify if the Word document, documento-03.26.2021_9657652.doc, was extracted successfully and is on disk. A second conditional check is performed to check if MS Word is installed at the following path, C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE. If MS Word is found, the TTP will attempt to open the Word doc. Most likely, the ability to auto-execute macros in Word documents is set to its default value and requires human interaction to enable the feature. Since it should be disabled, the macro will not run. After 5 seconds, the TTP attempts to stop the Microsoft Word process and delete all artifacts.


CISA lists ‘Immediate Actions You Can Take Now to Protect Against Malware’. One of the actions listed is to provide end-user awareness and training about social engineering and phishing. This is important since the vector for initial access is via phishing. To further protect your systems, ensure Microsoft Word is configured to block automatic macro execution.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:

See the latest kill chain and TTP Releases:

See our open-source repositories:

Join our community




Read, watch, and listen

Listen to our Podcast:

Read our blog:

Watch our live streams:

Watch our pre-recorded content:

Follow our team








Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Are MOUSEISLAND malware procedures mitigated on this host?