Microsoft PowerPoint ‘Mouseover’ Malware Hack Uncovered

PowerPoint recipients can fall victim to the attack simply by hovering their mouse over the link. 

It turns out that no member of the Microsoft Office family is safe, with cyber researchers recently exposing the Russian hacking group, Fancy Bear, for exploiting PowerPoint vulnerabilities to deliver targeted malware.

The bad actors, who have been posing as the Organization for Economic Co-Operation and Development, have been distributing malware to government sectors in the European Union via decoy Microsoft PowerPoint documents. Worryingly, all recipients need to do to fall victim to the attack is hover their mouse over the link.

Otherwise known as APT28, the Fancy Bear hacking group has been causing havoc in cyberspace for some time, but the development of this new mouseover technique is a reminder of how sophisticated malware operations are becoming. Here’s what we know so far.

New Mouseover Technique is Being Used to Deliver Malware

Russian hacking group, Fancy Bear, has been found guilty of using the decoy Microsoft PowerPoint to deploy malware, according to researchers from cybersecurity firm, Cluster25.

The cybergang — which is understood to be working with Russian intelligence services — has been utilizing a new code execution technique that responds to the mouse movement of users. This means that recipients even don’t need to click on the link or download anything for the malware to take effect. Instead, all they need to do is hover their mouse over the malicious hyperlink.

“When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated,” – Security researcher at Cluster25.

Once systems become exploited, a PowerShell script is triggered and a JPEG file titled ‘DSC0002.jped is downloaded onto the Microsoft OneDrive account. This file is then able to decrypt a second JPEG file containing Graphite, a malware variant uniquely linked to Fancy Bear that gains access to compromised servers.

According to researchers at Cluster25, the hackers have been masquerading as the Organisation for Economic Co-operation and Development (OECD), a Paris-based intergovernmental entity, and have mainly been targeting European governmental organizations. Their report also notes that the hackers seem to have laid the foundations for these attacks between January and February of this year, and may well be ongoing.

But this isn’t Fancy Bear’s first standoff with Microsoft. Back in April, the software company directed seven of the gang’s domains down a sinkhole after they were found to be targeting Ukrainian websites and US government institutions.

Malware is Becoming More Sophisticated

Despite regular efforts being made by businesses and regular users, malware attacks are currently dime a dozen — and threat actors have been using similar techniques to infest Microsoft Word documents for some time. However, aside from becoming more frequent, Cluster25’s discovery of this new mouseover technique is a sobering reminder of how sophisticated malware attacks are becoming too.

According to Microsoft’s own team, criminal groups are “skilled and relentless”, and have become “adept at evolving their techniques to increase success rates”. Evidence of this has been seen repeatedly over recent months, with cybercriminals experimenting with a range of different methods to extort their victims, including depositing malware through apps, cracking email addresses without retreiving passwords, and tricking victims with fake websites.

And while hacking groups like Fancy bear are directing their efforts toward government entities and social organizations, businesses aren’t exempt from these rapidly advancing threats. Unique malware attacks, specifically ransomware attacks, are on the rise throughout most industries, according to recent research from cybersecurity firm Acronis.

The report revealed that due to “increasing complexity in IT” and new avenues for exploitation, global ransomware damages are likely to exceed $30 billion by 2023. But businesses don’t need to take this news sitting down. Researchers at Acronis also pointed out that by adopting a more holistic approach to cyber-protection, lots of these damages could be mitigated.

How Can Businesses Protect Themselves?

Luckily, Fancy Bear isn’t currently directing their wrath on US businesses, but if you’d like to evade threats from similar groups, here are some measures your business could take.

First of all, since 81% of global cyberattacks exploit weak passwords, using a password manager to come up with and remember unique passwords should be your first port of call. They even offer users autofill features to make logging into servers quick and easy.

Secondly, antivirus software is another effective method to detect malware before it poses a threat to you and your business. We also recommend updating this software regularly so it contains the latest files to protect your device.

By deploying these techniques, while keeping an eye out for suspicious activity, your chances of falling victim to groups like Fancy Bear will be minimized.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Isobel O'Sullivan (BSc) is a senior writer at with over four years of experience covering business and technology news. Since studying Digital Anthropology at University College London (UCL), she’s been a regular contributor to Market Finance’s blog and has also worked as a freelance tech researcher. Isobel’s always up to date with the topics in employment and data security and has a specialist focus on POS and VoIP systems.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals