A recently observed campaign from the Zebrocy APT operators relied on a revamped backdoor to maintain access to victim hosts and extract profiling information. The backdoor comes with previously seen capabilities but the operators used a Golang-based version instead of the variant written in Delphi, which security researchers were familiar with. The use of Dropbox to host the malicious template – wordDatadotm – containing malicious macros that are executed upon opening the empty document. This approach is highly likely to trigger alerts from a security product.
Source: https://www.bleepingcomputer.com/news/security/zebrocy-infects-targets-with-new-golang-based-backdoor-via-dropbox/