A malicious Word document masquerading as a job application was used to deliver malware that spied on users, logged keystrokes, took screenshots, and sent that data to a remote server.

Who was behind the attack?

The attack is attributed to Oilrig, an Iranian state-sponsored hacking group known for using customized PowerShell-based malware and operating primarily in the Middle East and Western tech sectors.

What was the goal of the attack?

The attackers aimed to gather sensitive data through keylogging, screenshot capture, and domain enumeration—likely for espionage purposes.

Who or what was targeted?

The malicious document referenced Lumen, a global telecom firm, suggesting targeting of its employees or contractors. The attack appears to be highly targeted rather than broad-scale.

How was the attack carried out?

It started with a Word document that prompted the user to enable macros. Once enabled, it installed a stealthy PowerShell implant, maintained persistence through scheduled tasks, and executed a keylogger using AutoHotkey.

Why would attackers be interested in this target?

Telecom and tech companies often manage critical infrastructure and sensitive data, making them attractive targets for espionage groups.

What can be done to prevent this kind of attack?

Organizations should disable macros by default, monitor PowerShell activity, implement strong email filtering, and educate users about phishing threats.

Is this part of a larger trend or a one-off event?

This attack fits a broader trend of sophisticated, nation-state-linked cyber campaigns using tailored malware. While not widespread, it reflects ongoing threats from advanced persistent threat (APT) groups.

Threats Feed|TA452|Last Updated 19/05/2025|AuthorCertfa Radar|Publish Date06/02/2023

TA452 Utilizes PowerShell and AutoHotkey in its Intrusion

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Keylogger,Malicious Macro,Malware,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/Low Probability

Threat Overview

TA452's August 2022 intrusion involved a malicious Word document with a VBA macro that established persistence and C2 communication. The threat actors used AutoHotkey for keylogging, PowerShell scripts for discovery, and exfiltrated data using makecab.exe. They employed sophisticated techniques such as base64 encoding, obfuscation, and scheduled tasks to maintain access and evade detection. The campaign is linked to OilRig group and targeted organizations with custom-tailored malware, hinting at state-sponsored activity. Data was exfiltrated over encrypted channels, with evidence pointing to an organized and targeted approach.

Reference and Credit: The DFIR Report - February 2023

Collect, Exfiltrate, Sleep, Repeat

Detected Targets

Type	Description	Confidence
Case	Lumen Technologies Lumen Technologies, Inc. (formerly CenturyLink and Qwest) is an American telecommunications company headquartered in Monroe, Louisiana, that offers communications, network services, security, cloud solutions, voice, and managed services. The company is a member of the Fortune 500 and has been on the S&P 500 index since 1999. Lumen Technologies has been targeted by TA452 with abusive purposes.	Verified
Sector	Information Technology	High

Extracted IOCs

34a2677a7776f87e810814c2d3845f47
691332c86dd568f87b7fff4601c37895
850b8d07180601417193a6f88227130a
9a7d5f126904adc194df4dcbc2c5715c
a3c14604fb4454ba5722f07f89780e73
c3aedb781a5b96674764cd43ef076d10
c65b10c1113c0f0d4e06609fa60d9aad
f7611e77c5f99b81085e61b17b969afe
f769f67681707e8f69ecdf9e62fb944c
fc5f490dbe375779b2c6bbccdd869ca6
0b676ea2ad205b70b9feb1eedbfdec72137e08e5
2ca263fc5f1e505c1839ab0abf56571af6c7809d
475320a5bf0ba52fc9ff711d8e6dba512b3fefbf
79b1f6b0afe943a60560eb20677d5b801dc29ba3
86da0100bb6a07a89eaa4dc3ec220e9dbd6ecf71
a86088cf31c72cc4648ee8dfa082979a74044203
b8c8171b6e8efd2bb0ae8d5b22749564edd38109
c5f6a48fa52a279e1f3424b97662b479716229af
e1f4a8e434638c56b7a0d2d0317f4d0d84987a40
ed7b9ddbaee794cecb80fac794b0e6cb0ae073b5
16007ea6ae7ce797451baec2132e30564a29ee0bf8a8f05828ad2289b3690f55
45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50
7ae52c0562755f909d5d79c81bb99ee2403f2c2ee4d53fd1ba7692c8053a63f6
ac933ffc337d13b276e6034d26cdec836f03d90cb6ac7af6e11c045eeae8cc05
b92be3d086372fc89b3466e8d9707de78a5b6dff3e4a2eecc92c01d55a86fd7d
be0e75d50565506baa1ce24301b702989ebe244b3a1d248ee5ea499ba812d698
d4857156094963c8e38f6e88f4d72cb910aa537e3811eae0579f7abc568c9ae8
e4b2411286d32e6c6d3d7abffc70d296c814e837ef14f096c829bf07edd45180
eb2a94ee29d902c8a13571ea472c80f05cfab8ba4ef80d92e333372f4c7191f4
45[.]89.125.189
hxxp://45[.]89.125.189/get
hxxp://45[.]89.125.189/put

download

Tip: 32 related IOCs (1 IP, 0 domain, 2 URL, 0 email, 29 file hash) to this threat have been found.

FAQs

Inside the Lumen-Themed Targeted Attack: What You Need to Know

: A malicious Word document masquerading as a job application was used to deliver malware that spied on users, logged keystrokes, took screenshots, and sent that data to a remote server.
: The attack is attributed to Oilrig, an Iranian state-sponsored hacking group known for using customized PowerShell-based malware and operating primarily in the Middle East and Western tech sectors.
: The attackers aimed to gather sensitive data through keylogging, screenshot capture, and domain enumeration—likely for espionage purposes.
: The malicious document referenced Lumen, a global telecom firm, suggesting targeting of its employees or contractors. The attack appears to be highly targeted rather than broad-scale.
: It started with a Word document that prompted the user to enable macros. Once enabled, it installed a stealthy PowerShell implant, maintained persistence through scheduled tasks, and executed a keylogger using AutoHotkey.
: Telecom and tech companies often manage critical infrastructure and sensitive data, making them attractive targets for espionage groups.
: Organizations should disable macros by default, monitor PowerShell activity, implement strong email filtering, and educate users about phishing threats.
: This attack fits a broader trend of sophisticated, nation-state-linked cyber campaigns using tailored malware. While not widespread, it reflects ongoing threats from advanced persistent threat (APT) groups.

About Affiliation

TA452