A hacking campaign in Ukraine exploited a seven-year-old Microsoft Office flaw to deliver Cobalt Strike, a hacker tool.

The attack used a malicious PPSX file with a remote link to an external object targeting the CVE-2017-8570 vulnerability.

The second stage of the attack featured an HTML file with JavaScript, masked as a Cisco VPN update, to deploy the Cobalt Strike Beacon.

At the time of the discovery, the particular Cobalt Strike Beacon used was not detectable by most antivirus engines.

Ukrainian military personnel were the focus of the attack, with domain names for the malware delivery disguised as art and photography sites.

While the campaign's evidence pointed to Ukraine, a Russian VPS, and a Cobalt beacon command-and-control server in Poland, the specific actor behind the operations remains unidentified.

The report provided Indicators of Compromise to help identify the malicious activity but lacked conclusive attribution.