This Spreadsheet of ‘The Worst 25 Passwords’ Is Actually Malware

Hackers are getting meta.
August 29, 2019, 3:13pm
Image: Cathryn Virginia/Motherboard

Hackers in the Middle East have reportedly been trying to hack critical infrastructure companies, sometimes using booby-trapped spreadsheets that appeared to contain the uber-popular “worst passwords” list that we all love to laugh at.

In the words of Alanis Morrisette: isn’t it ironic, don’t you think?

Cybersecurity firm Dell Secureworks detailed an espionage campaign focused on targets in the Middle East from May of this year in a blog post earlier this week. In this case, security researchers said they didn’t have enough evidence to point the finger at any known hacking group, but said the hackers may be associated with APT33 or APT34, which are believed to be groups working for the Iranian government.


The hackers in this campaign used techniques such as password-spraying—when hackers use a list of common passwords hoping to guess it right—and brute forcing to hack into victim’s accounts. They then use the hacked accounts to send phishing emails with malicious attachments to other people in the hacked organization, according to Secureworks.

Have a tip about a hack or a security incident? You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at, or email

In one case in 2018, the hackers used a spreadsheet that appeared to contain security tips, which told people to use an anti-virus and strong passwords. Another infected spreadsheet contained a list of “The Worst 25 Passwords of 2017,” as well as embedded malware, according to Secureworks.


“It’s a brilliant piece of social engineering that takes advantage of one of security professionals’ worst tendencies: to gloat over security failures,” Wendy Nather, the head of advisory chief information security officers at cybersecurity firm Duo, said in an online chat.

Touche, hackers.

Subscribe to our new cybersecurity podcast, CYBER.