As seen online:
“Recent analysis has uncovered a phishing campaign conducted by TAG-110, a Russia-aligned threat actor linked to APT28 (BlueDelta) and overlapping with UAC- 0063, targeting Tajikistan between January and February 2025. The campaign employed macro-enabled Word template files (.dotm) as the initial infection vector, representing a tactical shift from the group’s previous reliance on HTA-based HATVIBE payloads. The malicious documents, themed on Tajik government topics, were designed to deceive recipients and triggered execution through the document.open event. Upon opening, the macro unprotected the document, suppressed spell checks, and attempted visual obfuscation by setting the font line width to zero. It then copied itself into %APPDATA%\Microsoft\Word\STARTUP\.dotm to ensure persistent execution as a global template. The AutoExec macro launched automatically with Word startup, performing a check to see if the application was opened within the last 60 seconds via the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\\Word\Options\LastTim e; if so, it terminated execution.”
— from Weekly Intelligence Report - 30 May 2025 - CYFIRMA as of 23 August 2025