MalwareUsed by 2 actors

MacroPack

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

FrostyNeighbor

The obfuscation is consistent with the result of MacroPack (an offensive security tool which is available on GitHub) when executed with the --obfuscate-names parameter.

via harfanglab insidethelabharfanglab.io

UNC1151

The obfuscation is consistent with the result of MacroPack (an offensive security tool which is available on GitHub) when executed with the --obfuscate-names parameter.

via harfanglab insidethelabharfanglab.io

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence1

TacticInitial Access

I have been looking a bit into Unicode and Right-To-Left-Override phishing attacks lately... By changing the exe icon to the one of GIF you can easily guess how this becomes a security problem.

T1566.001Spearphishing AttachmentEvidence1

TacticInitial Access

For example, lets generate an HTA file running notepad using with a false ".png" extension... In explorer, the file will appear as "helloath.png" when in fact its really "hello[rtlo]gnp.hta"

Stealth

2 techniques

T1027Obfuscated Files or InformationEvidence1

TacticStealth

Since this attack is only used to lure the user, we just have to find a way that x appears to be a valid extension to the user eye, but not a valid extension to Windows Defender. The simplest way to do it is simply to add a space... Unicode propose a lot of space char from different size, including zero width spaces.

T1036MasqueradingEvidence1

TacticStealth

Unicode RTLO is an attack consisting into spoofing an extension by injecting a Unicode Right-To-Left-Override character (U+202E). This is possible because Unicode compatible applications will display all char after the RTLO char from right to left. For example, a file called: example[rtlo]fig.exe would be displayed as "exampleexe.gif" to the user.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

harfanglab insidethelabNews

Oct 30, 2025

UAC-0057 keeps applying pressure on Ukraine and Poland - HarfangLab

An offensive macro generation/obfuscation tool used to obfuscate VBA macros in weaponized XLS files that drop and execute first-stage DLL implants.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.