VERY IMPORTANT

A recently detected attack exploited a vulnerability in Microsoft Office to deploy spyware called MerkSpy. The initial vector was a deceptive Word document posing as a job description. Opening it triggered the exploitation of CVE-2021-40444, allowing arbitrary code execution. This downloaded an HTML file to prepare shellcode, which then fetched a file called GoogleUpdate containing the MerkSpy payload. MerkSpy captures sensitive information like keystrokes and screenshots, exfiltrating the data to a remote server.