Microsoft Word users watch out for this attack

Jul 18 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that weaves past cybercriminals like Ryan Giggs weaves past… domestic assault charges ???? #ClearedofAllCharges

Today’s hottest cyber security stories:

  • ????️ Microsoft Word flaws exploited by ‘LokiBot’ malware. Help, Clippy! ????

  • ????CERT-UA uncovers Russia-linked Gamaredon but it’s too little, too late ????

  • ????️ Biden admin unveils US Cyber Trust Mark standard for devices for 2024 ????

Thor: I’m Loki scared… Geddit? Lowkey? ????

Another day, another new phishing campaign, right folks? This one has been targeting unsuspecting users via Microsoft Word documents. Is nothing sacred? Don’t expect Clippy to get you out of this one, either!

The attackers are taking advantage of well-known remote code execution flaws to drop a malicious software called LokiBot onto compromised systems.

LokiBot, also known as Loki PWS, is a notorious information-stealing Trojan that has been active since 2015. Its primary targets are Windows systems, and it aims to gather sensitive information from infected machines.

The campaign was first detected in May 2023 by Fortinet FortiGuard Labs, a leading cybersecurity company. The attacks exploit two vulnerabilities, known as CVE-2021-40444 and CVE-2022-30190 (aka Follina), to achieve code execution.

The malicious Word files that distribute the malware utilise a sophisticated technique.

They contain an embedded external GoFile link within an XML file.

This link leads to the download of an HTML file, which then exploits the Follina vulnerability to download a next-stage payload.

FYI: In computing and telecommunications, the payload is the part of transmitted data that is the actual intended message. Within cybercrime, it’s the part that contains the bad stuff.

The payload is an injector module written in Visual Basic that decrypts and launches LokiBot.

To evade detection, the injector module includes techniques to check for the presence of debuggers and determine if it is running in a virtualized environment.

LokiBot is a powerful malware that can log keystrokes, capture screenshots, extract login credentials from web browsers, and steal data from various cryptocurrency wallets.

It is important to note that LokiBot should not be confused with an Android banking trojan that shares the same name.


To protect yourself against such threats, it is crucial to stay vigilant and follow best security practices.

Regularly updating your software, employing strong passwords, and being cautious of suspicious emails and attachments are essential steps in safeguarding your systems and sensitive information.

Stay safe!


Join Discord


I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

CERTified hackerboy ????

The threat actor known as Gamaredon, which has links to Russia, has been observed stealing data shortly after gaining access to a system.

According to the Computer Emergency Response Team of Ukraine (CERT-UA), Gamaredon primarily uses emails and messaging platforms like Telegram, WhatsApp, and Signal as the initial means of compromise. They often exploit previously compromised accounts to carry out their attacks.

Gamaredon, also known as Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored group connected to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. It is estimated that this group has infected thousands of government computers.

Since the beginning of the Russo-Ukrainian war in February 2022, Gamaredon and other Russian hacking crews have remained active. They employ phishing campaigns to distribute PowerShell backdoors, such as GammaSteel, enabling them to gather information and execute additional commands.

The attack messages usually contain an archived file in HTM or HTA format. When opened, these files trigger the attack sequence.

Stay vigilant and exercise caution when opening suspicious files or messages to protect your data and systems from such threats.

????️ Extra, Extra! Read all about it ????️

Each week, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ✍️ The Story Grid: Fancy yourself as a writer, but unsure where to start. Check out this free ebook on how to write stories people will love.

  • ???? Bot Eat Brain: Teaches how to harness the awesome power of AI whilst avoiding common pitfalls.

  • ???? Stand the f*ck out: Anxious about AI, wary customers, and rising competition? This on-trend newsletter could be just the ticket.

Let us know what you think!

He’s Biden his time

The Biden Administration is introducing a new cybersecurity label for smart devices called the US Cyber Trust Mark. This label, based on security standards established by the National Institute of Standards and Technology (NIST), will indicate that devices meet these requirements.

Federal Communications Commission (FCC) Chairwoman Jessica Rosenworcel announced the voluntary program, which is expected to be in place by 2024. Devices carrying the label will be available to consumers shortly after.

The program aims to cover various connected devices commonly found in homes, such as smart refrigerators, microwaves, televisions, and climate control systems.

Interestingly, the announcement also mentions “smart fitness trackers” as a device that will be included in the certification and labelling program, hinting at broader ambitions beyond the smart home.

The initiative has gained voluntary support from major electronics, appliance, and consumer product manufacturers, retailers, and trade associations, including Google, Samsung, Logitech, Amazon, Best Buy, and the Connectivity Standards Alliance (home of the Matter smart home standard).

We’re all for it!

So long and thanks for reading all the phish!

Recent articles