Share This:

Threat Update

Security researchers have discovered recent attempts by threat actors to infect machines with malicious Word documents containing VBA macros and JavaScript to plant a backdoor and create persistence. These Word documents are disguised as documentation or information related to the new Windows 11 Alpha release to entice users into interacting. Recommendations to remediate the threat is to block the IOCs listed in this advisory.

Technical Detail & Additional Information


Security researchers have moderate confidence in attributing this threat campaign to the threat group FIN7. FIN7 is a prominent threat group which seems to be financially motivated and typically targets US based companies. FIN7 has been known to utilize a variation of JavaScript backdoors since at least 2018, specifically targeting Point-of-Sale (POS) systems.

The specific Word documents containing malicious VBA Macros and JavaScript backdoors are utilizing the anticipation around the new Windows 11 Alpha release to entice end users to interact with the malicious document which will be running the VBA Macro and JavaScript backdoor on the machine.


According to the US Department of Justice, FIN7 is responsible for stealing over 15 million card records from 6,500 POS terminals since 2018. Additionally, the group has reported ties to other groups such as Carbanak and the notorious REvil Ransomware gang. This campaign of malicious Word documents creates a backdoor for the threat actors on the compromised machine which then provides the threat actor with full access to the device and the potential to move laterally within the network. Future collaboration with other threat groups such as REvil would allow for the seamless distribution of ransomware or other forms of malware through the backdoor created by this threat.


This threat can affect any device which supports the use of JavaScript and utilizes the Microsoft Office Suite. Additionally, FIN7 is known to target POS Systems across multiple industries specifically targeting PII and credit card information. The backdoor created by this threat can potentially lead to a myriad of future compromises.


SKOUT recommends the following:

Block the below IOCs on any firewalls:

  • tnskvggujjqfcskwk[.]com
  • https://bypassociation[.]com
  • Continuously train employees on security awareness and recognizing phishing attacks, as most malicious documents of this nature come via phishing campaigns.
  • Ensure antivirus definitions are up to date.

For SKOUT Endpoint Protection customers, SKOUT Endpoint Protection holds the ability to block the execution of Visual Basic macro scripts and JavaScript files.


For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Share This:
Doris Au

Posted by Doris Au

Doris is a product marketing manager at Barracuda MSP. In this position, she is responsible for connecting managed service providers with multi-layered security and data protection products that can protect their customers from today’s advanced cyber threats.

Leave a reply

Your email address will not be published. Required fields are marked *