ETDA ThaiCERT
Report
Search
Home > List all groups > Operation Epic Manchego

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation Epic Manchego

NamesOperation Epic Manchego (NVISO)
Country[Unknown]
MotivationInformation theft and espionage
First seen2020
Description(NVISIO) In July 2020, NVISO detected a set of malicious Excel documents, also known as “maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious VBA code and the dropped payloads were something we had seen before, it was the specific way in which the Excel documents themselves were created that caught our attention.

The creators of the malicious Excel documents used a technique that allows them to create macro-laden Excel workbooks, without actually using Microsoft Office. As a side effect of this particular way of working, the detection rate for these documents is typically lower than for standard maldocs.
ObservedCountries: Bulgaria, Canada, China, Czech, France, Germany, Hungary, Italy, Japan, Malaysia, Netherlands, Poland, Romania, South Korea, Sweden, UK, Ukraine, Uruguay, USA, Vietnam.
Tools usedAgent Tesla, AZORult, Formbook, Matiex, njRAT.
Information<https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/>

Last change to this card: 17 September 2020

Download this actor card in PDF or JSON format

Previous: Operation DRBControl
Next: Operation Ghoul

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key