Seven Days Of The Collect Exfiltrate Sleep Repeat Spin Cycle
Threat actors targeted users in a phishing campaign that delivered a job application themed macro enable document.
If the unsuspecting recipient executed the document and enabled the macro VBS and PowerShell files were created for further compromise of the machine.
The malicious scripts made use of many OS native tools as well as some legitimate open source packages to carry out nefarious tasks.
Scheduled tasks were created to gather system information gather local and domain user account and install a keylogger that was developed from the opensource software AutoHotkey.
Although the attackers successfully acquired access and exfiltrated some collected data the attackers were not seen carrying out further actions on the victim machines.
Featured Resources
View More Resources
CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover
CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.
Exposure Validation Demo
Demo of automated offensive simulations validating detection, prevention, and IOC coverage
Validate What Matters: Simulate Real-World Identity and Privilege Attacks in AD and Entra ID
Identity is the new perimeter. The move to the cloud and remote work creates new security boundaries based on users and services operating across cloud and hybrid environments, making