TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Intezer

Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs

Nicole Fishbein · 2025-12-19 · Read original ↗

ATT&CK techniques detected

18 predictions
T1071.001Web Protocols
98%
“##b2109d860bb45e9d0a8eb the dropped payload is a 64 - bit backdoor with hardcoded configuration and c2 address. it collects system information and communicates with the c2 over http ( s ) using the winhttp api. the data collected by echogather consists of : ipv4 addresses os type…”
T1564.004NTFS File Attributes
92%
“the domain was resolved to the same address seen in the previous domain : 172. 64. 80 [. ] 1 on november 26th it was resolved to 193. 233. 18 [. ] 137 in russia based on geolocation. the ip address is linked to different malicious domains. using virustotal, we pivoted on the doma…”
T1564.004NTFS File Attributes
84%
“these ads paths and extracts the hidden data streams, placing them in unintended or sensitive locations such as % appdata % \ microsoft \ windows \ start menu \ programs \ startup. the phrase “ письмо мипромторг ” is misspelled ; the correct form is “ письмо минпромторга. ” this …”
T1030Data Transfer Size Limits
83%
“response. 0x45 return configuration sends the embedded configuration structure to the c2. 0x56 file exfiltration the backdoor begins by extracting a request id and the name of the file to be exfiltrated. it opens the specified file, determines its total size, and calculates how m…”
T1055.012Process Hollowing
83%
“making the execution appear benign at first and allowing the second - stage payload to activate covertly after the sandbox times out or av heuristics complete. sha - 256 : 0506a6fcee0d4bf731f1825484582180978995a8f9b84fc59b6e631f720915da the embedded file is dropped as mswp. exe i…”
T1204.002Malicious File
71%
“, a backdoor we named echogather. once launched, the backdoor collects system information, communicates with a hardcoded command - and - control ( c2 ) server, and supports command execution and file transfer operations. while it uses the xll format for delivery, its execution ch…”
T1055.001Dynamic-link Library Injection
70%
“some threat actors chose xll - based delivery methods rather than macro - based. loader behavior the dll exports two functions, xlautoopen and xlautoclose, both of which return zero. this behavior differs from that of legitimate xll add - ins as well as from previously documented…”
T1055.001Dynamic-link Library Injection
68%
“##autoopen, initialization code, or xlautoclose, when unloading. often malicious xlls embed their payload inside xlautoopen or through a secondary loader, so that code runs immediately once excel imports the dll. excel xll add - ins and macros differ mainly in how they execute an…”
T1566.001Spearphishing Attachment
59%
“- linep [. ] com / upload / docc1. ps1 ) and saves it to the current working directory. the script is then executed via a new powershell instance with execution policy restrictions bypassed. the downloaded script ( docc1. ps1 ) extracts both a pdf file and an echogather payload, …”
T1204.002Malicious File
51%
“- linep [. ] com / upload / docc1. ps1 ) and saves it to the current working directory. the script is then executed via a new powershell instance with execution policy restrictions bypassed. the downloaded script ( docc1. ps1 ) extracts both a pdf file and an echogather payload, …”
T1059.001PowerShell
48%
“these ads paths and extracts the hidden data streams, placing them in unintended or sensitive locations such as % appdata % \ microsoft \ windows \ start menu \ programs \ startup. the phrase “ письмо мипромторг ” is misspelled ; the correct form is “ письмо минпромторга. ” this …”
T1204.002Malicious File
46%
“tracing a paper werewolf campaign through ai - generated decoys and excel xlls an xll is a native windows dll that excel loads as an add - in, allowing it to execute arbitrary code through exported functions like xlautoopen. since at least mid - 2017, threat actors began abusing …”
T1055.001Dynamic-link Library Injection
44%
“, a backdoor we named echogather. once launched, the backdoor collects system information, communicates with a hardcoded command - and - control ( c2 ) server, and supports command execution and file transfer operations. while it uses the xll format for delivery, its execution ch…”
T1221Template Injection
43%
“tracing a paper werewolf campaign through ai - generated decoys and excel xlls an xll is a native windows dll that excel loads as an add - in, allowing it to execute arbitrary code through exported functions like xlautoopen. since at least mid - 2017, threat actors began abusing …”
T1059.001PowerShell
40%
“resolved to 199. 59. 243 [. ] 228. after that and until november 26th all of the resolutions were on cloudflare instances. from september 18th to november 24th the domain was resolved to 172. 64. 80 [. ] 1 on november 27th it was resolved to 94. 103. 3 [. ] 82 the address is conn…”
T1587.001Malware
39%
“techniques and newly developed payloads. these changes suggest an effort to enhance their capabilities. however, there are still clear gaps in both technical execution and linguistic accuracy, indicating that their tradecraft is still developing. iocs xll loader 0506a6fcee0d4bf73…”
T1071Application Layer Protocol
37%
“c2 communications, echogather uses the winhttp api. it supports various proxy configurations and is designed to ignore ssl / tls certificate validation errors, allowing it to operate in environments with custom or misconfigured proxy and certificate settings. supported commands e…”
T1041Exfiltration Over C2 Channel
32%
“response. 0x45 return configuration sends the embedded configuration structure to the c2. 0x56 file exfiltration the backdoor begins by extracting a request id and the name of the file to be exfiltrated. it opens the specified file, determines its total size, and calculates how m…”

Summary

Learn about a new backdoor, novel XLL execution trick. AI-generated decoy documents, exploitation of a new WinRar CVE and more.

The post Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs appeared first on Intezer.