Be sure to read parts 1, 2, and 3 of this series for a bit of background. In this article, we highlight how our threat analysts have surfaced recent interesting threats, and the techniques that worked equally well to uncover the focused operations. These are four unrelated clusters of activity, but the discovery methodology was similar for each.
Targeted threat hunt activity can often require sharp attention to a mundane task, such as scrolling through large sorted lists of file names, waiting for one to pop out -- very similar to being a macrodata refinement specialist.
This blog will cover four such activities, that led to the discoveries of the APT threats:
-
LINXA.zip, NilePhish, targeting Yemen, from August 2025 -
Möhüm duýduryş.doc, SweetSpecter, targeting CIS countries, from August 2025 -
Middle East and Maritime Economy.doc, MuddyWater, targeting Oman, from October 2025 -
Riga2025.pptm, unknown actor, targeting Bosnia and Herzegovina, from June 2025
One of our most useful daily hunts is looking at any new LNK file in our telemetry - both surfaced from customers as well as VT, although this blog only leverages publicly available samples. The count of new files is low. Each can be eyeballed.
First up, we see a phish that is associated with NilePhish, a campaign reported on in 2017 by Citizen Lab, originally targeting Egyptian NGOs. In this case, a Yemeni ISP was targeted in August of 2025 with New-logins-to-LINXA-SMS-P2P.docx.lnk (85cf58f89479740b47690d83393aea0d)
Figure 1: NilePhish … phish
The LNK first identifies itself by looking for files in . named .lnk with a size 0x0006A2B6, or 434870 bytes. It carves a file out of itself, xor’s each byte by 0x12, reads from an offset, and runs it. This is a bizarre amount of work to do to launch an empty decoy file, Document.docx 4c390cbf4581ea236778f9526af72b47, considering the actual next stage is hosted on an unobfuscated url in the powershell.
Figure 2: NilePhish lnk executed content
Below is an example PHP script that emulates this same file carving behavior.
Figure 3: PHP script to decode the decoy docx from inside the lnk
The next stage, available in the appendix, was hosted on a temporarily compromised major Syrian webhosting provider. The powershell downloaded has hallmarks of being created with GenAI. Leveraging this somewhat localized victim as a second stage for execution likely provided little operational benefit, and was leveraged for unknown purposes.
Figure 4: second stage powershell
From here, we can see the three next stages, upupload.co/share3dbfvjkkjdfikww/taskhostw.exe, upupload.co/share3dbfvjkkjdfikww/f4ea3535-b9cd-4ae1-a963-5cd704ae5f0a, and upupload.co/share3dbfvjkkjdfikww/b3Vsh. taskhostw is the legit autoit binary, f4ea is a compiled autoit script, and b3VshIW an obfuscated base64 script.
Many analysts use parsers from https://www.clamav.net/ to speed up their work, and in this case, you could dump the unreadable autoit script by running something like clamscan --leave-temps --tempdir=. f4ea3535-b9cd-4ae1-a963-5cd704ae5f0a.
Figure 5: decompiled autoit script
Reading the autoit script, one can notice that reads the b3VshIW file, and replaces 0x2A (*) with 0x41 (A). The script eventually decodes the obfuscated base64 to an exe named exe_stager.exe, described as Op Agent. This is a sharpc2 sample that beacons to soartire.net
Pivoting on this unique-looking obfuscation inside autoit, we can make our way to https://topsupload.com/FMfcgzGxTNtmNvfMwjWXnnhBbPTnQGK/ZkDuGZBpDh, and the powershell that calls it e7906e4dd22e651087a8bacce7a688dd.We can carve the payload as above, and we are left with d1685aed0c3703545f4ca0cb2cfac17a, which also beacons to soartire.net. Lastly, Emerging Threats and/or Proofpoint, link both of those domains, via urlquery, to UNK_NilePhish.
The next sample, Möhüm duýduryş.doc, was discovered by a hunt that watches for office documents that contain an XOR. While macros have fallen out of favor, due to broad based improvements championed by one particular threat researcher at Microsoft, they are still leveraged on a smaller scale by crime and APT actors alike. Combining frequency analysis with linguistic or country-based submissions will easily surface interesting threats to the top, although it may also cause some interesting threats to be brushed away. In this case, the macro containing the string xor , and the submitter being from Turkmenistan was a good indicator that this was an interesting sample.
Figure 6: unique xor function found in sneakychef files
The act of XOR-ing strings, all these years later, is still a solid indicator for surfacing targeted threats.
The document leverages dll sideloading through Calibre ebook reader to load its payload. Pivoting on indicators in the macro, as well as the same sideloader, leads us to Проект Доп соглашения к Договору_2025.doc eef9fe0c9619b75b9553243fd19709e4, uploaded from Kazakstan. The document drops a payload to disk, and registered a scheduled task in a very particular way.
schtasks -CreAte -sC minute -mo 2 -tn "MicrosoftEdgeUpdateTaskMachineUA{73444F9E-3124-440E-972P-9239645R6BB2}" -tr "\"C:\ProgramData\USOShared\Logs\ebook-edit.exe\""
An astute analysis of linguistic capitalization would notice strange patterns in the arguments - specifically oddities in capital letters. Similar scheduled task capitalization could be seen in 22573d874ac9ffa785e57d94e243b48d, uploaded from Uzbekistan, and 0287ba0ecc176ae63ea1d1e053654f32 also from Turkmenistan. A further analysis, specifically completing a ctrl-c/ctrl-v, would notice that this same victim set (CIS), and the same schtask capitalization, appeared in the SneakyChef report from Cisco’s Talos, and the associated UNK_SweetSpecter from our friends at Proofpoint.
In our third hunting example, Middle East and Maritime Economy.doc d9619d23098231bec2f17787d1d1b182, was submitted to VT on October 7th 2025. Broadly distributed attacks are easily filterable based on overlaps in filenames, hashes, c2 infra, etc. What is left should be filtered by country submitters to surface filenames in a small enough bucket to make outliers pop. Oman has been a key facilitator of negotiations between Iran and the United States, although recently contaminated Iranian water has been an issue of humanitarian and diplomatic contention. It was also recently compromised, before this activity, in a phish highlighted by ClearSky and Dream Group. It is not unusual to see continued targeting and retargeting of the same victim, and hence it is a valuable input to a sorting algo.
Pivoting on code artifacts is often done on non-malicious components in the execution chain. Looking back at this excellent article from NSFocus, we can see iden.doc 1ee73b17111ab0ffb2f62690310f4ada In this attack, we can see the following delay function, implemented in the word macro.
Figure 7: custom loop code used in some MW spears
In this case, this loop is going to run 100 x 100 x 100 x 100 times, or 100 million loops. Although that is nothing for a modern CPU, remember that this is inside VB inside word, so the delay added could be a couple seconds. In other samples, the loop is implemented 110 times, in others the variable names change, but the concept is the same. Using this as a pivot point, and leveraging other artifacts about the macro, behavior, or payload, we can link our original sample to these
|
Sample |
md5 |
|---|---|
Online Seminar.FM.gov.om.doc
|
3ab16bd1c339fd0727be650104b74dd1
|
Online Seminar.MFA.gov.ct.tr (2).doc
|
1de19958e7c2ef14addfb35b43a594ec
|
DPR for dredging in FreeSpan_16082025.2.doc
|
e73ba93d008affdc4cce0cb4e18ae5c6
|
AIC_2025.doc
|
07502104c6884e6151f6e0a53966e199
|
Transfer receipt #27790.doc
|
561b2983d558283c446ff674ff6138c3
|
Figure 8: other MW samples
Lastly, this pivot also brings us to Report.doc adf7606b900fa1d4630f7fd63a585e60,which was seen targeting users at TM Cell in August of 2025, the state owned mobile operator in Turkmenistan.
Figure 9: MW phish against Turkmenistan
For our last example, in July 2025, an attacker leveraged a suspected compromised account of a Greek law enforcement officer to target the military of Bosnia and Herzegovina with a payload named Riga2025.pptm, hosted on Mega, a download site run by Kim Schmitz.
Sorting documents with macros by name, including some sort of fuzzy algorithm, is necessary to weed out the broadly distributed malware. After that, you would be left with a combination of red teams, students, false positives, and targeted threats. If one were to bucketize the results, it would become clear that the number of new powerpoint files with macros is close to zero on a daily basis.
Figure 10: unc phish against the Bosnian military
The powerpoint file contains a macro that can be dumped with the aforementioned ClamAV’s sigtool --vba {file}. Examining the macro, we can see rudimentary obfuscation
Figure 11: custom macro obfuscation
The macro loops through the first four pages, checks shapes that have text, then essentially XOR’s the content by 97, unless the character is a %. In another section, it reads slide 1 by reading activepresentation.slides(1 + 123 - 11 - 23 - 89 * 2 + 89), which had us briefly recalling PEMDAS.
One can observe the content that will be carved visually, below.
Figure 12: PPT decoy content with real payload embedded
The payload ow123msadmasj41.exe dd29118838755821c884a7b03f647610 is dropped into temp and executed. Among other things, it grabs the chrome encrypted_key using the below regex from Chrome\User Data\Local State.
Figure 13: required IDA-esque screenshot
The payload then connects to telegram (api.telegram.org) with the key bot7193072067:AAFtelSAd83tmG-ZwLy9VQv4Z9b1GLr4OXY and chat_id 7908204245
Figure 14: network traffic from payload
Our github provides a download of the relevant files mentioned in the blog
Acknowledgements
The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at research@strikeready.com if you have corrections, would like us to use your group name, or would like to collaborate on research.