Gabor Szappanos, a principal researcher at SophosLabs publishes the outcome of his research consisting of mapping out a wide variety of Microsoft Word Intruder (MWI) attacks that took place between May and August 2015. MWI is the most influential Office malware creation kit today and it was developed in Russia.
Although the Microsoft Word Intruder kit is advertised for targeted attacks, which are usually associated with nation-state intrusions or other focused surveillance operations, it seems that its primary users are moneymaking cybercriminals aiming for smaller, less obvious, malware campaigns.
The full research report is available here – https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf