VERY IMPORTANT

In October 2017, Proofpoint researchers discovered a new Microsoft Office document exploit builder kit that featured a variety of recent exploits as well as a mechanism to report infection statistics. While the documents produced by this kit exhibited some minor similarities to Microsoft Word Intruder (MWI), we determined that they were likely produced by a new exploit builder kit, which we started tracking as ThreadKit. Our investigation into this activity uncovered corresponding posts on both exclusive and more unrestricted underground crime forums advertising the kit that we suspected was responsible. Until now, the kit was used by actors to spread a variety of malware payloads: banking Trojans such as Trickbot and Chthonic, and RATs such as FormBook [1] and Loki Bot. In addition to these campaigns, we also observed ThreadKit used by more sophisticated crime actors such as the Cobalt Gang [2]. This article examines the history and features of ThreadKit.