By rssfeeds-admin 
Disguised as a massive order request from a fake “Joyce Malave,” the attack uses a weaponized Word document to launch a complex, six-stage kill chain.
By chaining together legacy document features, obfuscated scripts, and a full Python runtime, attackers are successfully deploying Cobalt Strike directly into memory without triggering standard antivirus alarms.
The Six-Stage Invisible Kill Chain
The attack, tracked as the “NKFZ5966PURCHASE” campaign, begins with a standard DOCX file. However, attackers use an old but effective trick called “aFChunk” to hide a massive 4MB RTF file inside the document’s structure.
Because most email gateways only scan the top-level structure of the DOCX, the malicious RTF easily slips past defenses.
Inside the RTF, a hidden JavaScript dropper waits. Once triggered, it spawns a hidden PowerShell window.
This PowerShell script uses advanced evasion techniques, including bypassing Microsoft’s Anti-Malware Scan Interface (AMSI) and ignoring security certificate warnings, to disguise its next move as a normal web browser download.
The script reaches out to Filemail.com a legitimate file-sharing service that typically bypasses URL filters—to download a 14.5MB ZIP file. This archive contains a completely legitimate, digitally signed Python 3.12 runtime alongside a file named ” license.pdf.”
But the PDF is a trap. It is actually a heavily encrypted, malicious DLL file. A Python script decrypts this fake PDF using hardcoded AES-256 keys and injects it directly into the computer’s memory.
By never saving the final executable payload to the hard drive, the attackers deploy a Cobalt Strike beacon while evading traditional file-scanning security tools.
Sophisticated Tools, Sloppy Tradecraft
Despite the impressive technical architecture of the attack, the operators made severe operational security (OPSEC) mistakes.
The campaign is actively expanding including recent strikes against Italian organizations but the attackers lazily reuse their infrastructure and configurations.
First, they failed to scrub the metadata from their bait documents. The files still list “Christian Booc” and “John” as the authors and show the template was originally built in 2021, suggesting the operators are recycling a five-year-old toolkit.
According to Break Glass research, the attackers also implemented anti-forensic tricks, such as changing file timestamps to 2045 and deliberately mislabeling encryption keys in their code to confuse researchers.
Yet, their reliance on a single file-sharing platform and static campaign tags easily exposes their entire operation.
Multiple payload URLs on Filemail remain live, making immediate network blocking a critical priority for defenders.
In line with clear reporting practices, security teams are advised to focus on these persistent behavioral indicators and static encryption keys to hunt for compromises, rather than relying strictly on dense indicator lists.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Hackers Weaponize DOCX, RTF, JavaScript, and Python In Boeing RFQ Attack appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.