Researchers have discovered two new versions of the MM Core backdoor – BigBoss and SillyGoose – used in recent attacks on African and American industries. The MM Core backdoor is capable of sending system details about the infected system to its developers, downloading and executing files, updating and uninstalling itself. It is distributed via DOC files that exploit a Microsoft Word vulnerability, and then executed using a Dynamic-Link Library (DLL) side-loading vulnerability. Once executed in memory, MM Core extracts and installs an embedded downloader for persistence. To evade detection, newer campaigns use C&C servers registered using a registrant privacy protection service to make it more difficult to track the developers' infrastructure.