March 21, 2024by Cybersixgill IQ

PhantomBlu Cyberattackers: Backdooring Microsoft Office Users via OLE

Powered by cybersixgill IQ


PhantomBlu is a sophisticated cyberattack campaign that specifically targets Microsoft Office users in US-based organizations. The attackers employ a combination of social engineering and advanced evasion tactics to deliver a remote access trojan (RAT) called NetSupport RAT. This RAT allows the threat actors to gain control over compromised systems, enabling them to conduct surveillance, steal data, and potentially deliver ransomware. This article provides an overview of the tactics used by the PhantomBlu cyberattackers, their targets, and steps for mitigation.

Tactics Used by PhantomBlu Cyberattackers

Impersonation: The attackers impersonate an accounting service in email messages, luring targets with the promise of viewing their "monthly salary report." This social engineering tactic increases the likelihood of victims opening the malicious email attachments.

OLE Template Manipulation: The threat actors exploit a vulnerability in Microsoft Office's Object Linking and Embedding (OLE) technology. By manipulating document templates, they can execute malicious code without detection. This technique allows them to hide the payload outside the document, making it more challenging for traditional security systems to detect.

NetSupport RAT Delivery: The attackers deliver the NetSupport RAT, a malware derived from the legitimate NetSupport Manager remote technical support tool. This RAT enables the threat actors to gain remote access and control over compromised systems, facilitating further malicious activities.

Targets of PhantomBlu Cyberattackers

The primary targets of the PhantomBlu campaign are US-based organizations that use Microsoft Office. The attackers specifically focus on individuals within these organizations who have access to sensitive information, such as financial or HR departments. By targeting employees in these roles, the threat actors aim to gain access to valuable data and potentially exploit it for financial gain or other malicious purposes.

Steps for Mitigation

Employee Education: Organizations should provide comprehensive cybersecurity training to employees, emphasizing the importance of being cautious when opening email attachments or clicking on suspicious links. Employees should be trained to verify the authenticity of emails and attachments before interacting with them.

Email Filtering and Security Solutions: Implementing robust email filtering and security solutions can help detect and block phishing emails and malicious attachments. These solutions should include advanced threat detection capabilities to identify and mitigate sophisticated attacks like PhantomBlu.

Patch Management: Keeping software, including Microsoft Office, up to date with the latest security patches is crucial. Regularly applying patches helps address known vulnerabilities that threat actors may exploit.

Disable Macros: Disabling macros in Microsoft Office documents by default can prevent the execution of malicious code embedded in macros. Macros should only be enabled when necessary and from trusted sources.

Endpoint Protection: Deploying endpoint protection solutions, such as antivirus software and endpoint detection and response (EDR) tools, can help detect and block malicious activities on individual devices. These solutions should be regularly updated to ensure they can identify and mitigate emerging threats.

Network Segmentation: Implementing network segmentation can limit the lateral movement of attackers within an organization's network. By separating critical systems and data from less sensitive areas, organizations can minimize the potential impact of a successful breach.

Incident Response Plan: Developing and regularly testing an incident response plan is essential for effectively responding to cyberattacks. This plan should outline the steps to be taken in the event of a breach, including isolating affected systems, conducting forensic analysis, and notifying relevant stakeholders.


The PhantomBlu cyberattack campaign demonstrates the evolving tactics employed by threat actors to target Microsoft Office users. By leveraging social engineering techniques and exploiting OLE technology, the attackers can deliver the NetSupport RAT and gain control over compromised systems. Organizations can mitigate the risk posed by PhantomBlu and similar attacks by implementing a combination of employee education, robust security solutions, patch management, and incident response planning. Staying vigilant and proactive in implementing cybersecurity measures is crucial to protect against evolving cyber threats.


“’PhantomBlu’ Cyberattackers Backdoor Microsoft Office Users via OLE“ from cybernews_darkreading, published on March 19th, 2024 by DarkReading

“China linked to cyber attacks on Taiwan exploiting Windows vulnerability“ from news_theguardian, published on January 24th, 2024 by Tom Fox-Brewster

This article was created using Cybersixgill IQ, our generative AI capability that supports teams with instant report writing, simplifies complex threat data and provides 24/7 assistance, transforming cybersecurity for every industry and every individual, at every level.

You may also like

SOTU-Ransomware blog thumbnail

April 17, 2024

State of the Underground 2024: Two ways to guard against the ongoing threat of ransomware

Read more
Access for Sale Blog-Thumbnail

April 16, 2024

Cybersixgill’s Access Currently for Sale - high-value intelligence just got even better

Read more
Change Healthcare Breach Blog Thumbnail

April 15, 2024

Change Healthcare Breach: Data in the Hands of a New Ransomware Group

Read more