The U.S. Cyber Command warned that a threat group was exploiting a vulnerability in Outlook in an effort to attack government agencies and uploaded samples that one security researcher said are linked to APT33 and Shamoon2.

“USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: ‘hxxps://customermgmt.net/page/macrocosm’,” Cyber Command tweeted in a Tuesday alert.

“The executables uploaded by CyberCom appear to be related to Shamoon2 activity, which took place around January of 2017,” said Brandon Levene, head of applied intelligence at Chronicle. “These executables are both downloaders that utilize powershell to load the PUPY RAT.”

CyberCom uploaded three tools that are “likely used for the manipulation and of exploited web servers” with each having “a slightly different purpose, but there is a clear capability on the part of the attacker to interact with servers they may have compromised,” said Levene. “If the observation of CVE-2017-11774 holds true, this sheds some light on how the Shamoon attackers were able to compromise their targets.”

While security pros speculated “spear phishes were involved,” he said “not a lot of information around the initial vectors was published.”