Hackers Use PowerPoint Files for 'Mouseover' Malware Delivery
Powerpoint Image

Hackers Use PowerPoint Files for ‘Mouseover’ Malware Delivery

Researchers from Cluster25 believe APT28, a Russian state-sponsored threat group, is using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations (T1566.001, T1204.002), which in turn triggers a malicious PowerShell script (T1059.001). While most Microsoft Office-based attacks require malicious macros, this new technique does not, making it especially dangerous.

“The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide. Inside the PPT file, there are two slides, both featuring instructions in English and French for using the Interpretation option in Zoom video-conferencing app” (Bleeping Computer, 2022).

The PPT file contains a hyperlink (T1204.001) which acts as a trigger for launching PowerShell scripts using the SyncAppvPublishingServer utility (T1569). This technique has been around since June 2017, but this is the first time researchers have seen it used inside an Office document without malicious macros. The campaign appears to have taken place between January and February of this year and then again in August in September with new URLs.

According to Cluster 25, the activity they have attributed to APT28 is using the PowerPoint mouse-over technique to deliver the Graphite malware. The campaign has targeted entities in the defense and government sectors of the European Union and Eastern Europe.

Never let your guard down when it comes to your digital security. Have questions about securing your network and providing the latest in digital security awareness training? Contact Citynet or call us: 1.844.CITYNET.

Like this article?

Share on Facebook
Share on Twitter
Share on Linkdin
Share on Pinterest

More Posts

MFA to Zero Trust Image

How to go from MFA to Zero Trust

Increased connectivity, coupled with the rise of remote and hybrid work, is prompting organizations to evolve their user access security and make strides toward a

Cybersecurity Training Image

Yearly Cyber Training Doesn’t Work

If you’re sticking to once-a-year sessions for your employees, it’s time to rethink your approach. Let’s face it, it’s likely dull and uninspiring. And if

Fact vs Myth Image

Debunking 5 Common Internet Myths

In the vast landscape of the internet, myths and misconceptions often abound, shaping our perceptions and influencing our online behaviors. At Citynet, we’re committed to

SuperPod with WiFi 6E

Plume SuperPod WiFi 6E Specs

SuperPod with WiFi 6

Plume SuperPod WiFi 6 Specs


Plume SuperPod Secs