Malicious macro writers are beginning to track their malware through images to determine how well their malware is proliferating.

Once users enable the macro content, it creates a VBScript, a batch file and other files around the version of Windows victims are running, Proofpoint said. The files then download the malware payload and a “statistics image” from a public picture-hosting service. The writer can then see how many times the image was downloaded.

Two image URLs are embedded in each macro, one for an older operating system and another for more modern Windows operating system.

Every campaign has its own unique filename for the domain that can be viewed later to determine how many downloads occurred.

Proofpoint noted that newer campaigns use two images: one to see when the payload is downloaded and one when the infection process is complete.