A report by Unit 42 uncovered recent malicious activity by TA511. The threat actor added Cobalt Strike to its repertoire which is used in Active Directory environments. Initial foothold of TA511 is achieved through a malicious Word document that drops an Hancitor sample in the form of a DLL file and executes it using rundll32, a common Living Off the Land technique used in malicious Office files.
Article Link: https://blog.minerva-labs.com/hancitor-malware