A cyber-espionage unit is using the recent Game of Thrones episode leaks to lure targets into opening malicious documents sent via email.

For the past week, the group has sent emails to victims with the subject of "Wanna see the Game of Thrones in advance?" hoping to entice targets to open the email and download the attached files.

These files are booby-trapped with an embedded LNK file that runs a Powershell script that installs the 9002 remote access trojan, allowing attackers full access to the infected machine.

GoT phishing email

APT17 behind the GoT phishing campaign

Behind the attacks is a cyber-espionage group tracked under the codenames of Deputy Dog, Group 27, or APT17.

Several security firms believe the group to be operating out of China. APT17 has a long history of hacking going back for almost a decade.

The group became infamous when it tried to hack Google's infrastructure in a series of attacks known as Operation Aurora [1, 2]. Since then, the group has been busy on several fronts [1, 2, 3], focusing recent efforts on hacking government organizations in several Southeast Asian countries.

Proofpoint, the security company who discovered the recent attacks, did not say who the recent GoT-themed phishing lures targeted, but one of the Proofpoint researchers shared on Twitter that attackers targeted companies activating in the technology sector.

Pretty clever and opportune lure

This month, two Game of Thrones episodes leaked online. Employees from one of HBO's third-party distributors in India released episode 4, while HBO Spain and HBO Scandinavia accidentally aired episode 6 in advance, which then hit torrent sites within hours.

In addition, a group of hackers calling themselves Mr. Smith leaked Game of Thrones scripts and various other HBO shows.

All of these incidents produced a lot of online chatter about Game of Thrones leaks that made it possible for APT17 to operate this particular phishing lure with a high degree of efficiency.

"The use of a Game of Thrones lure [...] follows a common threat actor technique of developing lures that are timely and relevant, and play on the human factor - the natural curiosity and desire to click that leads to so many malware infections," said Darien Huss and Matthew Mesa, two Proofpoint researchers.

A technical breakdown of the recent phishing campaign and the infection process, step-by-step, is available in Proofpoint's report here.