← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Tracing a Paper Werewolf campaign through AI-generated decoys and Excel XLLs
WHITE celestre 2025-12-22 Modified: 2025-12-22
20
IOCs
MEDIUM VOLUME
An XLL is a native Windows DLL that Excel loads as an add-in, allowing it to execute arbitrary code through exported functions like xlAutoOpen. Since at least mid-2017, threat actors began abusing Microsoft Excel add-ins via the .XLL format, the earliest documented misuse is by the threat group APT10 (aka Stone Panda / Potassium) injecting backdoor payloads via XLLs.
c2 addressfiles sha256file namevirustotal
Indicators of Compromise (1 / 20 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 1e958b4f40358763ed8ac283a031bf23 MD5 of dd5a16d0132eb38f64293b8419bab3a3a80f48dc050129a8752989539a5c97bf 2025-12-22
References (1)
↗ https://intezer.com/blog/tracing-a-paper-werewolf-campaign-through-ai-generated-decoys-and-excel-xlls/#toc-heading-8