More than a year ago, on July 26th 2016, the Bitdefender Threat Intelligence Team came across a suspicious document called News.doc.
Upon preliminary investigation, the sample revealed a set of similar files that bear the same features, but appear to have been used in separate attacks targeted at different institutions.
This plug-and-play malware framework uses a handful of novel techniques for command and control identification and communications, as well as a plugin-based architecture, a design choice increasingly being adopted among threat actor groups in the past few years.
Dubbed EHDevel, this operation continues to this date, the latest known victims reportedly being several Pakistani individuals. In their case, the threat actors have chosen different lures than the ones presented in this paper, but the modus operandi is identical.