This blog was authored by Danny AdamitisDavid Maynor and Kendall McKay.

Executive summary

Cisco Talos recently identified a series of documents that we believe are part of a coordinated series of cyber attacks that we are calling the “Frankenstein” campaign. We assess that the attackers carried out these operations between January and April 2019 in an effort to install malware on users’ machines via malicious documents. We assess that this activity was hyper-targeted given that there was a low volume of these documents in various malware repositories. Frankenstein — the name refers to the actors’ ability to piece together several unrelated components — leveraged four different open-source techniques to build the tools used during the campaign.

The campaign used components of:

  • An article to detect when your sample is being run in a VM
  • A GitHub project that leverages MSbuild to execute a PowerShell command
  • A component of GitHub project called “Fruityc2” to build a stager
  • A GitHub project called “PowerShell Empire” for their agents



Talos Group

Talos Security Intelligence & Research Group