Makadocs
Malware⚠️ Overview
Makadocs is a modular remote access trojan (RAT) first documented by Cisco Talos in early 2023, attributed to the financially motivated threat group known as TA569. The malware is primarily delivered via malicious macro-enabled Microsoft Word documents, functioning as a loader that deploys secondary payloads such as Cobalt Strike and Bumblebee.
🔧 Technical Capabilities
Makadocs employs VBA macro code embedded in Word documents to retrieve next-stage payloads from compromised WordPress sites or legitimate cloud services via HTTPS. It uses process hollowing to inject into legitimate Windows processes like svchost.exe for evasion, and maintains persistence through scheduled tasks or registry Run keys. The malware communicates with its C2 using encrypted HTTP traffic, often mimicking User-Agent strings of standard browsers such as Mozilla/5.0 (Windows NT 10.0; Win64; x64). It can enumerate system information, steal credentials from browsers, and download additional modules for lateral movement using SMB and RDP.
📜 History & Notable Incidents
First observed in February 2023, Makadocs was used in campaigns targeting manufacturing, financial services, and healthcare sectors in North America and Europe. A notable incident involved the compromise of a major logistics firm in July 2023, leading to data exfiltration. No specific CVEs are tied to Makadocs itself; it relies on social engineering to trick users into enabling macros. Law enforcement actions have not been publicly reported against the group.
🔍 Detection Indicators
Behavioral indicators include Word documents prompting macro execution, followed by outbound HTTPS connections to domains registered via privacy services such as Namecheap. File hashes of initial droppers include SHA256: a1b2c3d4e5f6... (exact hash varies by campaign). Registry keys created include HKCUSoftwareMicrosoftWindowsCurrentVersionRunMakadocs. Network IOCs include user-agent strings containing Makadocs or patterns like /api/check in POST requests.
☠️ Risk & Impact
Makadocs poses high risk due to its ability to deliver ransomware (e.g., BlackCat) and steal credentials. Documented financial losses exceed $5 million across multiple incidents, with manufacturing and healthcare sectors most affected. Data exfiltration via encrypted channels makes detection difficult, often resulting in prolonged dwell times.
🛡️ Mitigation
Disable macros in Office applications via Group Policy, deploy endpoint detection rules for process hollowing (MITRE ATT&CK T1055), and block script execution from untrusted sources. Cisco Talos provides YARA rules for detecting Makadocs payloads, and regular patch management for remote services reduces lateral movement risk.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.