Stage and launch a malicious Word document

Stages and opens a macro-enabled Word document. The macro loads Operator network config facts from a previously staged file, then executes mshta.exe to run a malicious HTA file hosted on Operator. The HTA then downloads and executes a seconardy Pneuma agent.
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.


Test this TTP

Download Operator (1.7.1)
Test this TTP using one of our Operator chains
Is my host protected against APT37?


Stage and execute APT37.
APT40 defense industry


Emulating APT40's multi-stage macro-enabled documents.