Hackers Abuse DOCX, RTF, JS, and Python in Stealthy Boeing RFQ

A sophisticated six-stage malware campaign, detailed in a <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/bc0f5a00-12db-4ec7-9e69-f631e6

The campaign, tracked as NKFZ5966PURCHASE, disguises itself as a Boeing Request for Quotation (RFQ) from a person named “Joyce Malave,” luring victims into opening a malicious Word document.

Once opened, the file silently triggers a layered kill chain that ends with Cobalt Strike — a powerful post-exploitation tool — running entirely in the computer’s memory, leaving almost no trace behind.

The attack was first spotted on March 30, 2026, when security researcher @JAMESWT_WT flagged a suspicious DOCX file on X.

Within hours, additional samples were submitted to MalwareBazaar under the same campaign tag. By April 1, three distinct versions of the lure document had surfaced, all sharing identical document metadata, matching encryption keys, and the same attack structure. The campaign was not just active — it was expanding.

BreakglassIntelligence analysts identified the full six-stage attack chain, tracing how the malware moved through DOCX, RTF, JavaScript, PowerShell, a complete Python 3.12 runtime, and finally a reflectively loaded, AES-256 encrypted DLL — all without placing a clearly flagged file anywhere on disk.

Twenty-two linked malware samples were confirmed across the campaign, with at least one live payload delivery URL still active at the time of publication.

The social engineering is direct and effective. Messages impersonate “Joyce Malave from BOEING” or “Global Services, LLC,” targeting procurement and sales staff with a simple ask: provide the best prices for a high-quantity order.

Three lure variants surfaced — Rfq and Payment Schedule.docx, Product_specifications.docx, and RFQ_PO_ATR29026II.docx — all carrying the same attack chain.

The base document template was created in April 2021 and weaponized in January 2026 — nearly five years later — with author metadata intact and never cleaned.

The impact of this campaign is serious. Once Cobalt Strike is loaded in memory, the attacker gains full interactive access to the compromised machine, enabling data theft, lateral movement, and further network compromise.

Italian organizations were also identified as secondary targets, and the campaign’s consistent use of legitimate tools throughout — Word, PowerShell, a signed Python binary, and a Microsoft-trusted LOLBin — makes detection extremely difficult with conventional endpoint security.

Inside the Six-Stage Kill Chain

The infection begins the moment a victim opens the DOCX file. Buried inside the document’s relationships file is an aFChunk reference — a technique that forces Word to silently load a hidden embedded RTF file.

This trick dates back to 2017, but remains effective because most email security gateways scan DOCX files only at the ZIP level and never follow embedded RTF links.

Inside the RTF, a hex-encoded JavaScript file hides within a control word that Word processes but never shows the user.

The JavaScript dropper — about 67 KB — uses a junk-string technique to hide its content, then invokes WMI to spawn PowerShell silently in a hidden window.

That PowerShell script disables TLS certificate checks, bypasses Windows’ Antimalware Scan Interface (AMSI) through indirect method calls, and downloads a 14.5 MB ZIP from Filemail.com — a legitimate Norwegian file-sharing service exploited here for its clean domain reputation.

The ZIP arrives disguised as an .mp3 file and unpacks a full Python 3.12 runtime. Python then runs Protected.py, a 392-line script that strips five layers of obfuscation — Base64, zlib, byte reversal, ROT13, and XOR — before decrypting license.pdf using AES-256-CBC.

That file is actually an encrypted DLL, reflectively loaded into memory and never written to disk. Persistence is set via a registry Run key called RtkAudUService, mimicking a Realtek audio service, using a Microsoft-signed VBS script to relaunch the loader after each reboot.

Security teams should monitor HKCU Run keys for RtkAudUService, block Filemail.com URLs, and flag DOCX files with aFChunk references.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.