Stage and launch a malicious Word document

/static/assets/windows-logo.svg
Stages and opens a macro-enabled Word document. The macro loads Operator network config facts from a previously staged file, then executes mshta.exe to run a malicious HTA file hosted on Operator. The HTA then downloads and executes a seconardy Pneuma agent.
locked
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.

Login

Test this TTP

Download Operator (1.7.0)
Test this TTP using one of our Operator chains
APT40 defense industry

2022-04-12

/static/assets/windows-logo.svg
Emulating APT40's multi-stage macro-enabled documents.