admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.[1]
Agent Tesla has been executed through malicious e-mail attachments [2]
Ajax Security Team has lured victims into executing malicious files.[3]
Andariel has attempted to lure victims into enabling malicious macros within email attachments.[4]
AppleJeus has required user execution of a malicious MSI installer.[5]
AppleSeed can achieve execution through users running malicious file attachments distributed via email.[6]
APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload.[7]
APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.[8][9]
APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.[10]
APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.[11][12]
APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. [13] [14][15]
APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.[16]
APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.[17][18][19][20][21]
APT33 has used malicious e-mail attachments to lure victims into executing malware.[22]
APT37 has sent spearphishing attachments attempting to get a user to open them.[23]
APT38 has attempted to lure victims into enabling malicious macros within email attachments.[24]
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.[25][26][27][28]
Astaroth has used malicious files including VBS, LNK, and HTML for execution.[29]
Bad Rabbit has been executed through user installation of an executable disguised as a flash installer.[30][31]
BADFLICK has relied upon users clicking on a malicious attachment delivered through spearphishing.[32]
Bandook has used lure documents to convince the user to enable macros.[33]
BlackTech has used e-mails with malicious documents to lure victims into installing malware.[34]
BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.[35]
BoomBox has gained execution through user interaction with a malicious file.[36]
BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.[37][38]
Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.[39]
Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.[40]
CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.[41]
Chaes requires the user to click on the malicious Word document to execute the next part of the attack.[42]
Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.[43][44]
CSPY Downloader has been delivered via malicious documents with embedded macros.[45]
Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.[46]
Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.[47][48]
DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.[49][50]
Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open attachments.[51][52]
Dridex has relied upon users clicking on a malicious attachment delivered through spearphishing.[53]
Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.[54][55]
Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.[56][57][58]
EnvyScout has been executed through malicious files attached to e-mails.[36]
Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message.[59]
FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).[60][61]
FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.[62]
FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[63][64][65]
FIN8 has used malicious e-mail attachments to lure victims into executing malware.[66][67][68]
Frankenstein has used trojanized Microsoft Word documents sent via email, which prompted the victim to enable macros.[69]
Gallmaker sent victims a lure document with a warning that asked victims to "enable content" for execution.[70]
Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.[71][72]
Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.[73]
Grandoreiro has infected victims via malicious attachments.[74]
The GuLoader executable has been retrieved via embedded macros in malicious Word documents.[75]
Hancitor has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.[76]
Higaisa used malicious e-mail attachments to lure victims into executing LNK files.[77][78]
IcedID has been executed through Word documents with malicious embedded macros.[79]
Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.[80][81][82][83]
IndigoZebra sent spearphishing emails containing malicious attachments that urged recipients to review modifications in the file which would trigger the attack.[84]
Indrik Spider has attempted to get users to click on a malicious zipped file.[85]
InvisiMole can deliver trojanized versions of software and documents, relying on user execution.[86]
Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.[29]
JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer. [87]
JSS Loader has been executed through malicious attachments contained in spearphishing emails.[64]
Kerrdown has gained execution through victims opening malicious files.[21][88]
KGH_SPY has been spread through Word documents containing malicious macros.[45]
Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.[89][90][91][45][6]
Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.[92]
Leviathan has sent spearphishing attachments attempting to get a user to click.[93][94]
Lokibot has tricked recipients into enabling malicious macros by getting victims to click "enable content" in email attachments.[95][96]
Machete has relied on users opening malicious attachments delivered through spearphishing to execute malware.[97][98][99][100]
Magic Hound has attempted to lure victims into opening malicious email attachments.[101]
menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.[102][103][104][105][106]
Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer.[107][108]
Mofang's malicious spearphishing attachments required a user to open the file after receiving.[109]
Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.[110][111][112]
MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[113][114][115][116][117][118][119][120]
Mustang Panda has sent malicious files requiring direct victim interaction to execute.[121][122][123][124]
Naikon has convinced victims to open malicious attachments to execute malware.[125]
NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode.[36]
NETWIRE has been executed through luring victims into opening malicious documents.[126][75][127]
Nomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.[128][129]
Octopus has relied upon users clicking on a malicious attachment delivered through spearphishing.[129]
OilRig has delivered macro-enabled documents that required targets to click the "enable content" button to execute the payload on the system.[130][131][132][133]
OSX/Shlayer relies on users mounting and executing a malicious DMG file.[134][135]
Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.[136][137]
PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.[138]
PLEAD has been executed via malicious e-mail attachments.[34]
PoetRAT has used spearphishing attachments to infect victims.[139]
Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format).[140]
PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.[141][142]
QakBot has gained execution through users opening malicious attachments.[143][144][145][146][147][148][149][150]
Ramsay has been executed through malicious e-mail attachments.[151]
Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.[152]
REvil has been executed via malicious MS Word e-mail attachments.[153][154][155]
Rifdoor has been executed from malicious Excel or Word documents containing macros.[156]
RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.[157]
RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.[158]
Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.[159][160]
Sharpshooter has sent malicious DOC and PDF files to targets so that they can be opened by a user.[161]
Sidewinder has lured targets to click on malicious files to gain execution in the target environment.[162][163][164][165]
Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.[166][167][168]
SQLRat relies on users clicking on an embedded image to execute the scripts.[169]
StrongPity has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.[141][142]
SYSCON has been executed by luring victims to open malicious e-mail attachments.[170]
TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[171]
TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [172][173][174][175][176][177][178][179][180]
TA551 has prompted users to enable macros within spearphishing attachments to install malware.[181]
Taidoor has relied upon a victim to click on a malicious email attachment.[182]
The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[183]
Tonto Team has relied on user interaction to open their spearphishing attachments.[184]
Transparent Tribe has used weaponized documents in e-mail to compromise targeted systems.[185][186][187][188][189]
TrickBot has attempted to get users to launch malicious documents to deliver its payload. [190][191]
Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.[192]
A Word document delivering TYPEFRAME prompts the user to enable macro execution.[193]
Valak has been executed via Microsoft Word documents containing malicious macros.[194][195][196]
Whitefly has used malicious .exe or .dll files disguised as documents or images.[197]
Windshift has used e-mail attachments to lure victims into executing malicious code.[198]
Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar.[199][200]