During our analysis of a July 2023 campaign targeting groups supporting Ukraine’s admission into NATO, researchers discovered a new vulnerability for bypassing Microsoft’s Mark-of-the-Web (MotW) security feature. This activity has been attributed by the community to the pro-Russian APT group known as Storm-0978 (also known as the RomCom Group, in reference to their use of the RomCom backdoor). This group used a highly complex and well-developed exploit chain leveraging a remote code execution (RCE) vulnerability in Microsoft Office designated CVE-2023-36884 to infect its targets with malware.

Click for more details.