Date: 12/10/2025
Severity: High
Summary
We identified a new social-engineering tactic employed by the Belarusian threat actor White Lynx (also known as Ghostwriter, Storm-0257, UNC1151). The method relies on a malicious macro embedded in a Word document designed to evade detection and analysis. Once macros are enabled, the user is presented with a fake CAPTCHA window prompting them to validate a six-character string. This added step introduces a layer of human interaction before the macro will execute. After the CAPTCHA is completed, the document displays decoy content while carrying out malicious activity in the background.
Indicators of Compromise (IOC) List
Domains\URLs : | https://agelessinvesting.xyz/wp-content/uploads/2025/04/fahrenheit-451-book-cover.jpg |
Hash : | 6a22c0f7cafd717d4bc7408d7cf045f864939dd11f6d61a1b557e25a65fe4b7e
d93e1c23d95446071c7347d17e7125155486f3d2b01fb7265a4d2453e409ea18
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://agelessinvesting.xyz/wp-content/uploads/2025/04/fahrenheit-451-book-cover.jpg" or url like "https://agelessinvesting.xyz/wp-content/uploads/2025/04/fahrenheit-451-book-cover.jpg" or siteurl like "https://agelessinvesting.xyz/wp-content/uploads/2025/04/fahrenheit-451-book-cover.jpg" |
Detection Query 2 : | sha256hash IN ("6a22c0f7cafd717d4bc7408d7cf045f864939dd11f6d61a1b557e25a65fe4b7e","d93e1c23d95446071c7347d17e7125155486f3d2b01fb7265a4d2453e409ea18")
|
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-12-08-White-Lynx-uses-CAPTCHA-macros.txt