Nationstate actors are attempting to plant malware on targets' computers via an invitation to a NATO-organised cyber security conference, researchers have found.
Cisco's Talos security research division discovered a new phishing campaign from advanced persistent threat (APT) actors Group 74 - also known as Fancy Bear, APT28, Sofacy and Tsar Team - containing a malicious Microsoft Word document.
Talos said the document contains information about the CyCon US conference on cyber conflict in Washington DC, copied from the meeting's official website. CyCon is held by the US Army's Cyber Institute and the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).
The document was sent out to specific targets, Talos said, and contains a macro written in Visual Basic for Applications (VBA), but no Office exploits or zero-days.
If executed, the VBA macro attempts to drop and run a new variant of the Seduploader malware on targets' machines.
Seduploader is a "reconnaissance malware" that has been used by Group 74/Fancy Bear for several years.
The malware can take screenshots, capture and exfiltrate data and system configuration information, run code, and download files.
"This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security," the NATO CCDCOE said.
It warned users not to enable and run Office macros, and to handle information obtained and received via the internet with special care.