APT40 defense industry

Execute a multi-stage macro-enabled Office document to download a malicious HTA file that will launch stage-2 malware.

TTP Tuesday: APT40 - Defense Industry

Stage and execute malicious multi-stage Office documents

Theme Overview

Our last release looked at the APT29 RNC hack and the use of AdFind to collect, compress, and exfiltrate files from a compromised host.

For this week’s TTP Tuesday we are releasing a new APT40 themed chain based on the use of multi-stage macro-enabled Office documents. These techniques, at the time used in concert with 0-days, are still relevant today and applicable to a wide audience.


MShta.exe is a Windows binary for executing HTML Application (HTA) files. MShta is a well-known LOLBin, an application or library that is included by default in an operating systems and may be abused to execute arbitrary code or perform other actions. LOLBins are interesting because they allow attackers to perform certain actions using signed binaries and libraries which are commonly used for normal behaviour of the host operating system. As an attacker, these binaries help us evade detection as we use them to fly under the radar of a blue team given the large amount of data these teams routinely process. This week, we’re looking at how MShta can be used to download and execute code contained in an HTA file.


Malicious Office documents, or maldocs, are everywhere. APT40 used a maldoc that, in addition to circa 2017 0-days, used MShta.exe to download and execute an HTA file that would then download second stage malware.

Our maldoc contains a couple steps:

1. Execute a VBA script to run MShta.exe and download a malicious HTA file from Operator.
2. The HTA file starts a new PowerShell session and downloads the second stage malware (we’re using a Pneuma agent) and runs it.

We’ve also conveniently broken out the MShta technique for use outside this maldoc.

Thanks for reading! We’ll be back next week with more examples of APT40 tradecraft!

Watch a demonstration: APT40 Defense Industry

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Stage and launch a malicious Excel document
Stage Operator networking fact file
Execute an HTA payload using MShta
Stage and launch a malicious Word document