From secureworks.com
Secureworks® Counter Threat Unit™ (CTU) researchers observed multiple malicious Microsoft Excel add-ins delivering JSSLoader malware. JSSLoader is a remote access trojan (RAT) that was first observed in 2019 and is used by the GOLD NIAGARA cybercrime group. An Excel add-in extends Excel functionality, typically uses the ‘.xll’ file extension, and functions similar to a dynamic link library (DLL). These observations indicate a change to tactics, techniques, and procedures (TTPs), as the threat actors previously leveraged malicious executable files or Excel macros.