FIN7 was observed using Windows 11 themes to lure recipients in a recent phishing campaign targeting a PoS provider.

What was found?

  • Users worldwide are excited and curious about Microsoft’s next operating system launch. The FIN7 cybercrime group has quickly jumped onto the bandwagon to seize this opportunity.
  • Attackers were targeting victims using a Win11 theme that contains malicious Word documents. 
  • The maldoc has Windows 11 text/image that fools a user into enabling the macro that downloads a JavaScript backdoor.
  • Researchers have examined around six such documents and claimed that the dropped backdoor is a variant of a payload often employed by the FIN7 group since 2018.
  • The names used in the campaign hint that the activity could have happened between June and July. This is around the same time when Windows 11-related news started to surface on portals.

However, it is not known how malicious files are being delivered, although the closest guess is via emails.

The attack chain

The document claims to be created with a new OS and fools some users that there is a compatibility problem. It stops the users from accessing the content and the problem can be supposedly solved by following the instructions enclosed within.
  • The instructions lead the victims into activating and running the malicious VBA embedded inside the document. The code is obfuscated to thwart off analysis, although there are ways to clean it, after which only related strings are left behind.
  • The VBScript uses some values encoded inside a hidden table (in the document) to perform language checks on the targeted computer. 
  • Identifying certain languages (Serbian, Russian, Moldovan, Ukrainian, Sorbian, Slovenian, Slovak, and Estonian) stops the malicious activity and deletes the table with encoded values.
  • Additionally, the code searches for CLEARMIND domain, which looks to be a reference to a PoS provider in the U.S.

Moreover, the code makes other checks as well, such as virtual machine environment detection (if identified the script is terminated), registry key language preference for Russian, available memory, and check for RootDSE via LDAP.


FIN7 is active again and launching fresh rounds of attacks. Taking advantage of the current global situation or popular events makes it a dangerous threat. Therefore, security professionals should keep an eye on this threat and keep sharing the latest IOCs to ensure protection against this threat.

Cyware Publisher