Hackers used the TechNet web portal to host IP addresses for command and control (C&C) servers. The IP addresses for C&C servers were encoded by attackers, the encoded string is found in profiles and posts limited with the “@MICROSOFT” and “Corporation” tags. Microsoft, after receiving information from FireEye about the APT threat has plugged the security exploit. The group, which FireEye has dubbed APT17 is well-known for attacks against defense contractors, law firms, U.S. government agencies and technology and mining company websites. Microsoft TechNet hosts technical documentation of Microsoft products and is a very popular website with a large forum for question and answers regarding to Microsoft projects. The hackers, created various accounts on TechNet and then left comments on certain pages. These comments contained the name of encoded command and control domain, which computers infected by APT17’s malware were instructed to contact and obtain instructions. The obfuscation obfuscation technique implemented by the attackers allowed them to delay detection of malicious activities and the discovery of the C&C server’s IP address. The FireEye researchers found that the hackers had used a malware called BLACKCOFFEE. Blackcoffee allows its handlers to perform several operations on the victim’s machine such as upload/download files, create a reverse shell, manipulate files, and kill processes. Sometimes, the command-and-control domains are embedded in Blackcoffee malware itself making it easier for the malware to connect with the C & C server. FireEye has published the Indicators of compromise on Github.