Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Reduce Alert Fatigue to Improve SOC Efficiency and Cut Business Costs
July 1, 2026
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Home/Threats/Boeing RFQ Malware Campaign Abuses DOCX, RTF, JS, Python for Stealthy Attacks
Threats

Boeing RFQ Malware Campaign Abuses DOCX, RTF, JS, Python for Stealthy Attacks

Key Takeaways A sophisticated six-stage malware campaign, dubbed NKFZ5966PURCHASE, is actively targeting organizations, impersonating Boeing Request for Quotation (RFQ) communications. The attack...

Marcus Rodriguez
Marcus Rodriguez
April 2, 2026 4 Min Read
33 0

Key Takeaways

  • A sophisticated six-stage malware campaign, dubbed NKFZ5966PURCHASE, is actively targeting organizations, impersonating Boeing Request for Quotation (RFQ) communications.
  • The attack chain leverages multiple file types—DOCX, RTF, JavaScript, PowerShell, and a full Python 3.12 runtime—to deliver the Cobalt Strike post-exploitation framework entirely in memory, making detection difficult.
  • Initial targets appear to be related to Boeing’s supply chain or partners, with Italian organizations also identified as secondary targets, primarily focusing on procurement and sales staff.
  • The campaign exhibits advanced stealth techniques, including hidden embedded files, obfuscated scripts, AMSI bypasses, and the abuse of legitimate services like Filemail.com, leaving minimal forensic traces.

Overview of the Stealthy Boeing RFQ Malware Campaign

A complex, six-stage malware operation, identified as NKFZ5966PURCHASE, has been discovered exploiting common document formats and scripting languages to deploy the potent post-exploitation tool, Cobalt Strike. The campaign masquerades as a Request for Quotation (RFQ) from Boeing, specifically from an individual named “Joyce Malave,” to entice victims into opening a booby-trapped Microsoft Word document.

Table Of Content

  • Key Takeaways
  • Overview of the Stealthy Boeing RFQ Malware Campaign
  • Inside the Six-Stage Kill Chain
  • Execution and Payload Delivery
  • What You Should Do

Upon execution, the malicious file initiates a multi-layered attack sequence that culminates in Cobalt Strike operating exclusively within the compromised system’s memory. This in-memory execution significantly reduces the forensic footprint, making the attack challenging to detect and analyze.

The campaign first came to light on March 30, 2026, when security researcher @JAMESWT_WT alerted the community to a suspicious DOCX file via X. Within hours, additional samples surfaced on MalwareBazaar under the same campaign identifier. By April 1, three distinct versions of the lure document had been identified, all sharing identical metadata, encryption keys, and the same underlying attack structure, indicating an active and expanding threat.

Analysts at BreakglassIntelligence meticulously mapped out the entire six-stage kill chain. This intricate process involves a progression through DOCX, RTF, JavaScript, PowerShell, a complete Python 3.12 runtime, and finally, a reflectively loaded, AES-256 encrypted DLL. Notably, the entire process is designed to avoid writing any clearly identifiable malicious files to disk. At the time of their report, twenty-two linked malware samples had been confirmed, with at least one live payload delivery URL still operational.

The social engineering aspect of this campaign is straightforward yet effective. Attackers impersonate “Joyce Malave from BOEING” or “Global Services, LLC,” specifically targeting procurement and sales personnel with requests for competitive pricing on large-volume orders. Three distinct lure document filenames—”Rfq and Payment Schedule.docx,” “Product_specifications.docx,” and “RFQ_PO_ATR29026II.docx”—were observed, all containing the same malicious attack chain. Interestingly, the base document template used for these lures was created in April 2021 and weaponized in January 2026, nearly five years later, with its original author metadata left uncleaned.

The successful deployment of Cobalt Strike grants attackers comprehensive interactive access to the compromised machine. This access enables a range of malicious activities, including data exfiltration, lateral movement within the network, and further system compromise. Beyond the primary targets, Italian organizations have also been identified as secondary victims. The campaign’s reliance on legitimate tools such as Microsoft Word, PowerShell, a signed Python binary, and Microsoft-trusted Living Off The Land Binaries (LOLBins) makes it exceptionally difficult for conventional endpoint security solutions to detect.

Inside the Six-Stage Kill Chain

The infection process begins the moment a user opens the seemingly innocuous DOCX file. Embedded within the document’s internal relationships file is an “aFChunk” reference. This technique, which dates back to 2017, compels Microsoft Word to silently load a hidden, embedded RTF file. This method remains effective as many email security gateways primarily scan DOCX files at the ZIP archive level and often fail to follow these embedded RTF links.

Within the RTF file, a hex-encoded JavaScript file is concealed using a control word that Word processes internally but does not display to the user.

Execution and Payload Delivery

The JavaScript dropper, approximately 67 KB in size, employs a junk-string obfuscation technique to mask its true content. It then leverages Windows Management Instrumentation (WMI) to silently launch PowerShell in a hidden window.

This PowerShell script is designed to disable TLS certificate checks and bypass Windows’ Antimalware Scan Interface (AMSI) through indirect method calls. It then proceeds to download a 14.5 MB ZIP archive from Filemail.com, a legitimate Norwegian file-sharing service. The attackers exploit Filemail’s clean domain reputation to evade detection.

The downloaded ZIP file is disguised as an MP3 audio file and, once unpacked, contains a complete Python 3.12 runtime environment. Python then executes “Protected.py,” a 392-line script that systematically strips away five layers of obfuscation—Base64, zlib, byte reversal, ROT13, and XOR—before decrypting “license.pdf” using AES-256-CBC. This “license.pdf” is, in fact, an encrypted DLL (Dynamic Link Library) that is reflectively loaded directly into memory, never touching the disk as a standalone file.

Persistence on the compromised system is achieved by establishing a registry Run key named “RtkAudUService,” designed to mimic a legitimate Realtek audio service. This entry utilizes a Microsoft-signed VBScript to re-launch the loader after each system reboot.

What You Should Do

  • Enhance Email Security: Implement advanced email gateway solutions capable of deep scanning DOCX and RTF files, specifically looking for embedded “aFChunk” references and suspicious control words.
  • Educate Users: Conduct regular cybersecurity awareness training for all employees, particularly procurement and sales staff, on identifying sophisticated phishing attempts and the dangers of opening unsolicited attachments.
  • Monitor Registry Keys: Actively monitor HKCUSoftwareMicrosoftWindowsCurrentVersionRun and HKLMSoftwareMicrosoftWindowsCurrentVersionRun for unusual entries, especially those mimicking legitimate services like “RtkAudUService.”
  • Network Traffic Analysis: Implement network monitoring to detect outbound connections to known malicious domains or suspicious activity involving legitimate file-sharing services like Filemail.com if they are not part of your organization’s approved services.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions with advanced behavioral analysis capabilities to detect in-memory execution, PowerShell script obfuscation, and AMSI bypass attempts, as traditional antivirus may struggle with these stealthy techniques.
  • Restrict PowerShell Usage: Implement policies to restrict or log PowerShell script execution, especially when initiated by common applications like Microsoft Word, and ensure PowerShell logging is enabled.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitHackerMalwareSecurity

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

NoVoice Android Malware With 22 Exploits Attacks Millions

Next Post

CISA Warns of Critical Chrome Zero-Day Actively Exploited

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Buffa Rust Library 0-Day DoS Vulnerability in Anthropic
July 1, 2026
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us