Hangover threat group’s use of the BackConfig malware in attacks against government and military organizations in South Asia. In almost all cases, the initial malware was hosted on a compromised site and a link was sent to targets in spear phishing emails. Besides the usage of an RTF document in a couple instances, a macro-enabled XLS document was the main format of the initial file. The decoy content in the document uses a theme relevant to the target, such as housing program registration forms in the country of interest. The macros then proceed to perform the tasks needed to ultimately infect the system with the BackConfig malware. The specific steps taken to do this have evolved over the years. The most recent version uses a combination of text files and batch scripts dropped by the macro to ultimately download the BackConfig payload from a remote URL. Persistence is also established by the macro code via scheduled tasks. Once on the system, BackConfig’s modular architecture can be used to perform a variety of tasks, such as gathering system information, keylogging, and downloading additional payloads.