Operation PhantomBlu: Attackers Exploit Weaponized MS Office Doc to Breach Windows

Home/BOTNET, Compromised, Exploitation, Internet Security, Microsoft, Mobile Security, Security Advisory, Security Update/Operation PhantomBlu: Attackers Exploit Weaponized MS Office Doc to Breach Windows

Operation PhantomBlu: Attackers Exploit Weaponized MS Office Doc to Breach Windows

Researchers at Perception Point have discovered a new malware campaign dubbed PhantomBlu, which targets US organizations. The campaign utilizes innovative methods to deploy the NetSupport RAT (Remote Access Trojan) by exploiting legitimate features of Microsoft Office document templates through OLE manipulation.

This tactic enables attackers to bypass detection and take control of victim machines for nefarious purposes such as keylogging, file transfer, and lateral movement within the network.

Operation PhantomBlu

Threat actors distributed phishing emails containing fabricated monthly salary reports to lure employees into downloading malicious DOCX files. These files utilized a legitimate email delivery platform to evade detection.

Upon opening the DOCX file, users were prompted to enable editing and click on an embedded OLE object disguised as a printer icon.

Upon clicking the icon, OLE template manipulation (T1221) was initiated, leading to the download of an archive containing a malicious LNK file. This marks the first observed instance of T1221 being utilized to deliver NetSupport RAT.

A forensic analysis of the LNK file uncovered a PowerShell dropper fetching a heavily obfuscated script from a URL. This script then retrieved another URL, downloaded a ZIP file, and unpacked it to execute the NetSupport RAT.

Examining the link’s code

The script additionally established a persistence mechanism by adding a registry key for autostart, bypassed user-agent gating on the secondary URL, and confirmed the script’s functionality.

The ZIP file contained another PowerShell script that dropped and executed NetSupport RAT (Client32.exe), revealing its command-and-control (C2) server infrastructure.

Perception Point reports that PhantomBlu delivers NetSupport RAT via a novel method using encrypted .doc files as carriers, exploiting OLE template injection (T1221) to deliver the payload.

It bypasses traditional security by embedding the malicious code within the template, requiring user interaction for execution, marking a shift from past NetSupport RAT campaigns relying on basic phishing tactics and executable files. The provided information includes Indicators of Compromise (IOCs) related to the potential malware campaign, listing hashes for various file types (DOCX, ZIP, LNK, and EXE) alongside suspicious URLs, hostnames, and IP addresses.


Hashes (SHA-256)

Email – 16e6dfd67d5049ffedb8c55bee6ad80fc0283757bc60d4f12c56675b1da5bf61

Docx – 1abf56bc5fbf84805ed0fbf28e7f986c7bb2833972793252f3e358b13b638bb1

Injected ZIP – 95898c9abce738ca53e44290f4d4aa4e8486398de3163e3482f510633d50ee6c

LNK file – d07323226c7be1a38ffd8716bc7d77bdb226b81fd6ccd493c55b2711014c0188

Final ZIP – 94499196a62341b4f1cd10f3e1ba6003d0c4db66c1eb0d1b7e66b7eb4f2b67b6

Client32.exe – 89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1

URLs and Hostnames







IP Addresses





‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!