A report by Unit 42 uncovered recent malicious activity by TA511. The threat actor added Cobalt Strike to its repertoire, which is used in Active Directory environments. Initial foothold of TA511 is achieved through a malicious Word document that drops a Hancitor sample in the form of a DLL file, and executes it using rundll32. Both pieces of malware query the registry key HKEY_CLASSES_ROOT and enter an infinite loop if the 4th character in its default key is not the letter t”]

