Security Experts:

Connect with us

Hi, what are you looking for?



Author of Dryad and Rubella Macro Builders Arrested

Dutch authorities this week announced the arrest a 20-year old man for allegedly developing and distributing Office Macro Builders. 

Dutch authorities this week announced the arrest a 20-year old man for allegedly developing and distributing Office Macro Builders. 

Such programs are designed to allow cybercriminals weaponize Office documents to deliver malicious payloads via obfuscated macro code. The macro might also purposely attempt to bypass endpoint security defenses. 

Once the document containing such a malicious macro is opened, the code would be executed, which could surreptitiously download malware or start a program on the device. 

The arrested individual, a resident of the Dutch city of Utrecht, is said to have created and distributed toolkits named Rubella, Cetan and Dryad. Aided by McAfee and another private company, the Dutch authorities managed to trace various online handles on hacking forums to the man. 

According to the authorities, the suspect sold the macro builder Rubella for prices ranging from a couple of hundred to thousands of euros. According to McAfee, Dryad and Rubella are very similar, and a conversation with the suspect revealed that the individual was behind both of them. 

The man was also “found in possession of data concerning dozens of credit cards and manuals on carding, a type of credit card fraud,” the Dutch authorities reveal. Moreover, the suspect had in possession access credentials for thousands of websites. 

The man reportedly collected around 20,000 Euro (around $22,000) in crypto currency such as Bitcoins. 

“Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder,” McAfee notes

Related: Macro-Based Multi-Stage Attack Delivers Password Stealer

Related: Macro Malware Comes to macOS

Related: Office Loader Uses Macros to Drop Array of Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.