MalwareUsed by 2 actors

DeliveryCheck

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Turla

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater. However, this task downloads the DeliveryCheck backdoor (also known as CapiBar and GAMEDAY) and launches it in memory, where it connects to the threat actor's command and control server to receive commands to execute or deploy further malware payloads.

via bleeping computerbleepingcomputer.com

UAC-0003

via bleeping computerbleepingcomputer.com

MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566.001Spearphishing AttachmentEvidence2

TacticInitial Access

The attacks start with phishing emails containing Excel XLSM attachments that contain malicious macros.

Execution

4 techniques

T1053.005Scheduled TaskEvidence1

TacticsExecution Persistence Privilege Escalation

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1059Command and Scripting InterpreterEvidence1

TacticExecution

Microsoft says that these malware payloads are embedded and launched from XSLT stylesheets.

T1059.001PowerShellEvidence1

TacticExecution

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1059.005Visual BasicEvidence1

TacticExecution

The attacks start with phishing emails containing Excel XLSM attachments that contain malicious macros. When activated, these macros execute a PowerShell command...

Persistence

3 techniques

T1053.005Scheduled TaskEvidence1

TacticsExecution Persistence Privilege Escalation

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1505Server Software ComponentEvidence1

TacticPersistence

What makes DeliveryCheck stand out is a Microsoft Exchange server-side component that turns the server into a command and control server for the threat actors.

T1546.015Component Object Model HijackingEvidence1

TacticsPersistence Privilege Escalation

"...COM-hijacking..."

Privilege Escalation

2 techniques

T1053.005Scheduled TaskEvidence1

TacticsExecution Persistence Privilege Escalation

When activated, these macros execute a PowerShell command, creating a scheduled task impersonating a Firefox browser updater.

T1546.015Component Object Model HijackingEvidence1

TacticsPersistence Privilege Escalation

"...COM-hijacking..."

Stealth

3 techniques

T1036MasqueradingEvidence1

TacticStealth

...creating a scheduled task impersonating a Firefox browser updater.

T1218System Binary Proxy ExecutionEvidence1

TacticStealth

Microsoft says that these malware payloads are embedded and launched from XSLT stylesheets.

T1220XSL Script ProcessingEvidence1

TacticStealth

"Окрім застосування XSLT (Extensible Stylesheet Language Transformations)..."

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

TacticCommand and Control

...launches it in memory, where it connects to the threat actor's command and control server to receive commands to execute or deploy further malware payloads.

T1071.001Web ProtocolsEvidence1

TacticCommand and Control

Multiple C2 URLs over HTTPS, including Exchange-themed paths like "/outlook/api/logon.aspx" and "/.../RPCWITHCERT/SYNC".

T1105Ingress Tool TransferEvidence1

TacticCommand and Control

...connects to the threat actor's command and control server to receive commands to execute or deploy further malware payloads.

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

TacticExfiltration

After infecting devices, the threat actors utilize the backdoor to exfiltrate data from the compromised devices using the Rclone tool.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

malpediaNews

May 14, 2026

Turla (Threat Actor)

Malware/tool used alongside Kazuar in targeted Turla attacks; CAPIBAR is named in the title while DeliveryCheck is listed with the report.

bleeping computerNews

Jul 19, 2023

Microsoft: Hackers turn Exchange servers into malware control centers

A backdoor used by Turla/Secret Blizzard in phishing-led attacks against the defense sector and Microsoft Exchange environments. It is launched in memory, connects to C2 for tasking and payload delivery, and includes a server-side Microsoft Exchange component that can turn a legitimate Exchange server into a malware-distribution and command-and-control server.

microsoft supportNews

Mar 18, 2026

Windows 悪意のあるソフトウェアの削除ツールで特定の一般的なマルウェアを削除する (KB890830) - Microsoft サポート

DeliveryCheck [[URL_b3187638_112]] 2023 年 11 月 (v 5.119)

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.