The so-called Deputy Dog APT group has surfaced again with a means of keeping its command and control servers under wraps that involves Microsoft s TechNet online resources. The use of TechNet is a formidable evasion technique since most signature-based defenses wouldn t consider such a widely used resource a threat. The attack to DeputyDog, which is also known as APT17, has used the BlackCoffee malware for two years. The malicious code connects to TechNet, decodes the message buried in a string between the characters @MICRO0S0FT and C0RP0RATI0N.
Source: https://threatpost.com/apt-group-embeds-command-and-control-data-on-technet-pages/112881/