Craig Pepper
March 25, 2024
5 Min Read

Threat Report 25.03.24

Hackers Exploiting Microsoft Office Templates

A sophisticated cyberattack operation known as "PhantomBlu," which targeted employees of various US organisations through phishing emails. These emails, disguised as communications from an accounting service, aim to trick recipients into downloading a malicious Microsoft Office Word document, allegedly containing their monthly salary reports. 

The strategy involves instructing victims to enable certain features in the document to view their salary details, a tactic that cleverly leverages the legitimate Object Linking and Embedding (OLE) functionality of Windows to clandestinely execute harmful code.

Insights into PhantomBlu's Methods:

Social Engineering: By sending emails that mimic those from a trustworthy source and promise sensitive financial information, the attackers effectively exploit human curiosity and the inherent trust in known entities.

Advanced Evasion Techniques: The operation introduces a novel approach by manipulating OLE templates to deliver a Remote Access Trojan (RAT), specifically NetSupport RAT, without triggering security alarms. This marks a concerning advancement in evasion tactics.

Sophisticated Malware Deployment: The campaign progresses through several stages, beginning with the user activating a disguised malicious payload, leading to the download and execution of a PowerShell script. This script, through multiple layers of obfuscation, ultimately installs the NetSupport RAT, granting attackers remote control over the infected system.

Persistence and Control: Analysis of the malware reveals efforts to maintain a foothold on the victim's computer, such as modifying registry keys, and uncovers the command and control infrastructure guiding the RAT's actions.


Educate Employees: Conduct regular training sessions to make employees aware of such phishing tactics and the importance of scrutinising emails, especially those prompting downloads or enabling macros.

Enhance Email Filtering: Strengthen email security protocols to filter out phishing attempts and suspicious attachments. Regularly update filters to adapt to evolving cybercriminal strategies.

Establish Strict Access Controls: Limit user access to essential files and features to reduce the impact of a potential breach. Employ the principle of least privilege across all systems.

Regularly Update Systems: Keep all software and security solutions up to date to protect against known vulnerabilities that could be exploited in such attacks.


The PhantomBlu campaign highlights a significant risk to organisations through its sophisticated blending of social engineering and advanced evasion techniques. Its ability to bypass conventional security measures and deploy remote access tools poses a critical threat to confidentiality, integrity, and availability of corporate data. Organisations must promptly adopt comprehensive security strategies to mitigate these risks and protect their assets from such advanced cyber threats.

Apple's M-Series Chips Exposed

A critical vulnerability in Apple's renowned M-series chips, which has serious implications for data security worldwide. Named "GoFetch," this vulnerability stems from a fundamental design flaw in the chips' architecture, specifically targeting the data memory-dependent prefetcher (DMP). This flaw enables attackers to syphon off sensitive encryption keys by manipulating the microarchitectural behaviour of the chips, a technique that is particularly alarming due to its unpatchable nature. The vulnerability affects primarily the M1 and M2 generations, posing a significant challenge for mitigation without compromising system performance.

Key Characteristics of the GoFetch Vulnerability:

Inherent Design Flaw: The vulnerability is embedded within the silicon design itself, making it immune to traditional software patches and requiring extensive modifications to cryptographic software for mitigation.

Exploitation of Performance Features: GoFetch exploits the DMP's predictive loading feature, intended to enhance chip performance, to illicitly leak data. This misuse of a performance-optimising component underscores the complex trade-offs between speed and security in hardware design.

Universal Threat: The ability of GoFetch to extract keys from both traditional and quantum-resistant encryption algorithms without root access magnifies its threat. The technique can be employed by ordinary applications, broadening the potential for unauthorised access to encrypted data.

Performance-Impacting Mitigation: Addressing this vulnerability necessitates strategies that could severely hamper processing efficiency, such as ciphertext blinding or reallocating cryptographic computations to less efficient parts of the chip.


Adopting Ciphertext Blinding: Although resource-intensive, this technique can obscure the data processed by cryptographic operations, thereby reducing vulnerability to side-channel attacks.

Utilisation of Efficiency Cores: Running sensitive cryptographic processes on parts of the chip that lack the DMP feature may offer a safer, though slower, alternative.


The GoFetch vulnerability represents a significant threat to the security of encrypted data, particularly given its unpatchable nature. The balance between hardware performance and security is critically challenged, highlighting the need for a strategic reevaluation of cryptographic practices on affected chips. Organisations and individuals relying on Apple's M-series chips must urgently consider available mitigation strategies, despite the potential for reduced system performance. This situation highlights the evolving complexity of cybersecurity in the age of advanced computing hardware, necessitating continuous vigilance and adaptation to protect sensitive information against emerging threats.

Hackers Can Open Millions of Rooms in Seconds

A vulnerability within the RFID keycard locks manufactured by Dormakaba, specifically the Saflok brand, has been identified, posing a critical security risk to millions of hotel rooms globally. This vulnerability, uncovered by Cyber security researchers Ian Carroll, Lennert Wouters, and their team, reveals a method—dubbed Unsaflok—that leverages weaknesses in the encryption mechanisms of the lock system as well as flaws in the MIFARE Classic RFID technology. The exploit enables unauthorised individuals to swiftly gain access to any room secured by these locks using two specially prepared keycards or signals, a process that astonishingly requires no advanced privileges or specialised tools.

Significant Points of the Unsaflok Vulnerability:

Systemic Weaknesses: The vulnerability exploits inherent flaws in both the lock's encryption and the RFID technology, indicating a fundamental security oversight.

Ease of Access: The simplicity of the exploit process, which allows for rapid unauthorised access without specialised access, highlights the severity of the security oversight.

Manufacturer's Response: Dormakaba's response, focusing on system updates and lock reprogramming rather than hardware replacement, suggests a preference for cost-effective mitigation strategies. However, the effectiveness of these measures is contingent on widespread implementation, which appears to be progressing slowly.


Prompt System Updates: It is imperative for hospitality operators using Saflok locks to coordinate closely with Dormakaba to ensure their lock systems are updated or reprogrammed as swiftly as possible.

Enhanced Physical Security Measures: Hotels should consider additional security measures, such as surveillance and secondary locking mechanisms, to bolster room security during this vulnerable period.

Guest Vigilance: Guests should be advised of potential risks and encouraged to use hotel safes and other security services to protect their valuables.


The Unsaflok vulnerability represents a significant threat to the security of hotel rooms secured by the affected RFID locks, exposing guests and their belongings to potential unauthorised access. This issue underscores the critical need for ongoing scrutiny and updating of physical security systems to protect against evolving cyber threats. The slow pace of mitigation efforts further amplifies the risk, highlighting the challenges inherent in securing widespread and diverse implementations of technology. Until comprehensive updates are implemented, the vulnerability will remain a stark reminder of the complexities involved in securing modern hospitality operations against sophisticated cyber threats.

Read similar blogs