Threat actors using MacroPack to deploy Brute Ratel Havoc and PhantomCore payloads

Multiple Microsoft Office documents generated by the MacroPack framework have been discovered likely used by malicious actors to deploy various payloads. These documents uploaded to VirusTotal between May and July 2024 originated from different countries including China Pakistan Russia and the U.S. The payloads include Havoc and Brute Ratel post-exploitation frameworks as well as a new variant of the PhantomCore remote access trojan. The MacroPack-generated code employs various obfuscation techniques to evade detection. The documents feature different lures ranging from generic instructions to military-themed content. While the specific threat actors remain unidentified the analysis reveals distinct clusters based on lure themes payload types and command and control infrastructure.