Operation KEYMARBLE 2019
The campaign targets companies in Russia with Microsoft Office documents containing malicious macros. The operation requires the victim to accept the "enable macro security warning" before the system is infected. The final payload used in the attacks is a new version of the KEYMARBLE backdoor. The attackers use Dropbox in the second stage of the infection chain and also use a benign PDF file as a decoy document to make the files used in the campaign appear legitimate.