Boeing RFQ Malware Campaign Abuses DOCX, RTF, JS, Python for Stealthy Attacks
Key Takeaways A sophisticated six-stage malware campaign, dubbed NKFZ5966PURCHASE, is actively targeting organizations, impersonating Boeing Request for Quotation (RFQ) communications. The attack...
Key Takeaways
- A sophisticated six-stage malware campaign, dubbed NKFZ5966PURCHASE, is actively targeting organizations, impersonating Boeing Request for Quotation (RFQ) communications.
- The attack chain leverages multiple file types—DOCX, RTF, JavaScript, PowerShell, and a full Python 3.12 runtime—to deliver the Cobalt Strike post-exploitation framework entirely in memory, making detection difficult.
- Initial targets appear to be related to Boeing’s supply chain or partners, with Italian organizations also identified as secondary targets, primarily focusing on procurement and sales staff.
- The campaign exhibits advanced stealth techniques, including hidden embedded files, obfuscated scripts, AMSI bypasses, and the abuse of legitimate services like Filemail.com, leaving minimal forensic traces.
Overview of the Stealthy Boeing RFQ Malware Campaign
A complex, six-stage malware operation, identified as NKFZ5966PURCHASE, has been discovered exploiting common document formats and scripting languages to deploy the potent post-exploitation tool, Cobalt Strike. The campaign masquerades as a Request for Quotation (RFQ) from Boeing, specifically from an individual named “Joyce Malave,” to entice victims into opening a booby-trapped Microsoft Word document.
Table Of Content
Upon execution, the malicious file initiates a multi-layered attack sequence that culminates in Cobalt Strike operating exclusively within the compromised system’s memory. This in-memory execution significantly reduces the forensic footprint, making the attack challenging to detect and analyze.
The campaign first came to light on March 30, 2026, when security researcher @JAMESWT_WT alerted the community to a suspicious DOCX file via X. Within hours, additional samples surfaced on MalwareBazaar under the same campaign identifier. By April 1, three distinct versions of the lure document had been identified, all sharing identical metadata, encryption keys, and the same underlying attack structure, indicating an active and expanding threat.
Analysts at BreakglassIntelligence meticulously mapped out the entire six-stage kill chain. This intricate process involves a progression through DOCX, RTF, JavaScript, PowerShell, a complete Python 3.12 runtime, and finally, a reflectively loaded, AES-256 encrypted DLL. Notably, the entire process is designed to avoid writing any clearly identifiable malicious files to disk. At the time of their report, twenty-two linked malware samples had been confirmed, with at least one live payload delivery URL still operational.
The social engineering aspect of this campaign is straightforward yet effective. Attackers impersonate “Joyce Malave from BOEING” or “Global Services, LLC,” specifically targeting procurement and sales personnel with requests for competitive pricing on large-volume orders. Three distinct lure document filenames—”Rfq and Payment Schedule.docx,” “Product_specifications.docx,” and “RFQ_PO_ATR29026II.docx”—were observed, all containing the same malicious attack chain. Interestingly, the base document template used for these lures was created in April 2021 and weaponized in January 2026, nearly five years later, with its original author metadata left uncleaned.
The successful deployment of Cobalt Strike grants attackers comprehensive interactive access to the compromised machine. This access enables a range of malicious activities, including data exfiltration, lateral movement within the network, and further system compromise. Beyond the primary targets, Italian organizations have also been identified as secondary victims. The campaign’s reliance on legitimate tools such as Microsoft Word, PowerShell, a signed Python binary, and Microsoft-trusted Living Off The Land Binaries (LOLBins) makes it exceptionally difficult for conventional endpoint security solutions to detect.
Inside the Six-Stage Kill Chain
The infection process begins the moment a user opens the seemingly innocuous DOCX file. Embedded within the document’s internal relationships file is an “aFChunk” reference. This technique, which dates back to 2017, compels Microsoft Word to silently load a hidden, embedded RTF file. This method remains effective as many email security gateways primarily scan DOCX files at the ZIP archive level and often fail to follow these embedded RTF links.
Within the RTF file, a hex-encoded JavaScript file is concealed using a control word that Word processes internally but does not display to the user.
Execution and Payload Delivery
The JavaScript dropper, approximately 67 KB in size, employs a junk-string obfuscation technique to mask its true content. It then leverages Windows Management Instrumentation (WMI) to silently launch PowerShell in a hidden window.
This PowerShell script is designed to disable TLS certificate checks and bypass Windows’ Antimalware Scan Interface (AMSI) through indirect method calls. It then proceeds to download a 14.5 MB ZIP archive from Filemail.com, a legitimate Norwegian file-sharing service. The attackers exploit Filemail’s clean domain reputation to evade detection.
The downloaded ZIP file is disguised as an MP3 audio file and, once unpacked, contains a complete Python 3.12 runtime environment. Python then executes “Protected.py,” a 392-line script that systematically strips away five layers of obfuscation—Base64, zlib, byte reversal, ROT13, and XOR—before decrypting “license.pdf” using AES-256-CBC. This “license.pdf” is, in fact, an encrypted DLL (Dynamic Link Library) that is reflectively loaded directly into memory, never touching the disk as a standalone file.
Persistence on the compromised system is achieved by establishing a registry Run key named “RtkAudUService,” designed to mimic a legitimate Realtek audio service. This entry utilizes a Microsoft-signed VBScript to re-launch the loader after each system reboot.
What You Should Do
- Enhance Email Security: Implement advanced email gateway solutions capable of deep scanning DOCX and RTF files, specifically looking for embedded “aFChunk” references and suspicious control words.
- Educate Users: Conduct regular cybersecurity awareness training for all employees, particularly procurement and sales staff, on identifying sophisticated phishing attempts and the dangers of opening unsolicited attachments.
- Monitor Registry Keys: Actively monitor
HKCUSoftwareMicrosoftWindowsCurrentVersionRunandHKLMSoftwareMicrosoftWindowsCurrentVersionRunfor unusual entries, especially those mimicking legitimate services like “RtkAudUService.” - Network Traffic Analysis: Implement network monitoring to detect outbound connections to known malicious domains or suspicious activity involving legitimate file-sharing services like Filemail.com if they are not part of your organization’s approved services.
- Endpoint Detection and Response (EDR): Utilize EDR solutions with advanced behavioral analysis capabilities to detect in-memory execution, PowerShell script obfuscation, and AMSI bypass attempts, as traditional antivirus may struggle with these stealthy techniques.
- Restrict PowerShell Usage: Implement policies to restrict or log PowerShell script execution, especially when initiated by common applications like Microsoft Word, and ensure PowerShell logging is enabled.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.