惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
有赞技术团队
有赞技术团队
S
Securelist
Attack and Defense Labs
Attack and Defense Labs
T
Threat Research - Cisco Blogs
L
LINUX DO - 最新话题
The GitHub Blog
The GitHub Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Security Affairs
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
WordPress大学
WordPress大学
美团技术团队
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
GbyAI
GbyAI
O
OpenAI News
IT之家
IT之家
F
Full Disclosure
W
WeLiveSecurity
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Palo Alto Networks Blog
P
Privacy International News Feed
Webroot Blog
Webroot Blog
C
CERT Recently Published Vulnerability Notes
Latest news
Latest news
月光博客
月光博客
博客园 - 【当耐特】
N
News | PayPal Newsroom
Cloudbric
Cloudbric
Hacker News - Newest:
Hacker News - Newest: "LLM"
T
The Exploit Database - CXSecurity.com
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Hugging Face - Blog
Hugging Face - Blog
博客园 - 三生石上(FineUI控件)
K
Kaspersky official blog
云风的 BLOG
云风的 BLOG
宝玉的分享
宝玉的分享
博客园 - 叶小钗
TaoSecurity Blog
TaoSecurity Blog
Martin Fowler
Martin Fowler
Simon Willison's Weblog
Simon Willison's Weblog
A
Arctic Wolf
Apple Machine Learning Research
Apple Machine Learning Research
D
Docker
aimingoo的专栏
aimingoo的专栏
Microsoft Security Blog
Microsoft Security Blog
PCI Perspectives
PCI Perspectives
Microsoft Azure Blog
Microsoft Azure Blog
雷峰网
雷峰网

Security Research | Blog

ClaudeFix: Shared Claude Chats Meet ClickFix | Zscaler Why Do F1 Teams Need Cybersecurity, and What Is AI’s Role? Indirect Prompt Injection Targets AI Agents | ThreatLabz Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz Edgecution: Malicious Edge Extension Backdoor | ThreatLabz SmartApeSG Supply Chain Attack Targets Okendo | ThreatLabz AI Generated ClickFix Attack Delivers SmartRAT | ThreatLabz What the ThreatLabz 2026 Phishing and Initial Access Report Means for the Public Sector | Zscaler Shai-Hulud: Miasma, Hades, & AI Scanner Evasion | ThreatLabz Zscaler ThreatLabz 2026 Phishing and Initial Access Report Technical Analysis of MLTBackdoor | ThreatLabz When the Scanner Starts Thinking: Learnings from Mythos & GPT 5.5 Cyber in Security Testing | Zscaler OpenClaw Skill Distributes Remcos & GhostLoader | ThreatLabz Tropic Trooper: AdaptixC2 + Custom Beacon | ThreatLabz Do not delete blog (testing) | Zscaler Payouts King Takes Aim at the Ransomware Throne | ThreatLabz The Alibaba Incident and Why Zero Trust Matters More Than Ever In-Memory Loader Drops ScreenConnect | ThreatLabz Supply Chain Attacks Surge in March 2026 | ThreatLabz Claude Code Leak: Critical AI Security Threat 2026 Latest Xloader Obfuscation Code & C2 Protocol | ThreatLabz CVE-2026-20131: Analysis of FMC RCE | ThreatLabz Technical Analysis of SnappyClient | ThreatLabz China-nexus Group Targets Arabian Gulf Region | ThreatLabz Middle East Conflict Fuels Cyber Attacks | ThreatLabz Dust Specter APT Targets Gov’t Officials in Iraq | ThreatLabz APT37 Adds New Tools For Air-Gapped Networks | ThreatLabz GuLoader Malware Obfuscation Techniques Analyzed GuLoader Obfuscation Analysis | ThreatLabz Technical Analysis of Marco Stealer | ThreatLabz Latest Public Sector AI Adoption Trends: What Government, Healthcare, and Education Security Teams Need to Know | Zscaler 7 Predictions for 2026 | Zscaler SHEETCREEP, FIREPOWER, and MAILCREEP Analysis | ThreatLabz AI is Now Default Enterprise Accelerator: Takeaways from ThreatLabz 2026 AI Security Report | Zscaler GOGITTER, GITSHELLPAD, and GOSHELL Analysis | ThreatLabz Malicious NPM Packages Deliver NodeCordRAT | ThreatLabz What’s Powering Enterprise AI in 2025: ThreatLabz Report Sneak Peek | Zscaler BlindEagle Deploys Caminho and DCRAT | ThreatLabz Technical Analysis of the BlackForce Phishing Kit | ThreatLabz React2Shell RCE Vulnerability (CVE-2025-55182) | ThreatLabz Shai-Hulud V2 Poses Risk to NPM Supply Chain | ThreatLabz Technical Analysis of Matanbuchus 3.0 | ThreatLabz In-Depth Analysis: Water Gamayun APT Multi-Stage Attack Uncovered CVE-2025-50165: Windows Graphics Component Flaw | ThreatLabz Mobile, IoT, and OT Risks Converge in the Public Sector | Zscaler Industry Attacks Surge, Mobile Malware Spreads: The ThreatLabz 2025 Mobile, IoT & OT Report | Zscaler Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) | Zscaler F5 Security Incident Advisory | Zscaler Under the Radar: How Non-Web Protocols Are Redefining the Attack Surface | Zscaler SEO Poisoning Targets Ivanti VPN: Credential Theft Alert Cisco Firewall and VPN Zero Day Attacks | ThreatLabz COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz YiBackdoor: Linked to IcedID and Latrodectus | ThreatLabz Technical Analysis of Zloader Updates | ThreatLabz Mitigating Risks from the Shai-Hulud NPM Worm | ThreatLabz Malicious PyPI Packages Deliver SilentSync RAT | ThreatLabz Technical Analysis of SmokeLoader Version 2025 | ThreatLabz Technical Analysis of kkRAT | ThreatLabz APT37: Rust Backdoor & Python Loader | ThreatLabz Anatsa’s Latest Updates | ThreatLabz Termncolor and Colorinal Explained | ThreatLabz GenAI Used to Impersonate Brazil’s Govt Websites | ThreatLabz Tracking Updates to Raspberry Robin | ThreatLabz Ransomware Surges, Extortion Escalates: ThreatLabz 2025 Ransomware Report | Zscaler China-nexus APT Targets the Tibetan Community | ThreatLabz CVE-2025-53770 | ThreatLabz Black Hat SEO Poisoning Search Engine Results For AI | ThreatLabz
Operation Neusploit: APT28 Uses CVE-2026-21509 | ThreatLabz
Sudeep Singh · 2026-02-02 · via Security Research | Blog

Technical Analysis

In the following sections, ThreatLabz discusses the technical details of Operation Neusploit, including how the backdoors and stealers function and how they were deployed. We observed two variants of the attack chain. Both variants begin with a specially crafted RTF file that weaponizes CVE-2026-21509 and, after successful exploitation, downloads a malicious dropper DLL from the threat actor’s server. There are two variants of this dropper DLL that deploy different components. We will discuss both the variants in the following sections.

Dropper Variant 1

The first dropper variant DLL is responsible for deploying a malicious Microsoft Outlook Visual Basic for Applications (VBA) project named MiniDoor. MiniDoor’s primary goal is to steal the user’s emails and forward them to the threat actor.

MiniDoor dropper DLL analysis

MiniDoor is a lightweight 64-bit DLL written in C++. The malicious functionality is implemented in the exported function: UIClassRegister. The DLL does not use code obfuscation and includes two variants of string decryption:

  • Strings decrypted using a hardcoded 1-byte XOR key (0x3a).
  • Encrypted strings prefixed with a 1-byte XOR key, which is then used to decrypt the strings.

Below are the key functionalities of this DLL.

  • Creates a mutex with the static name adjgfenkbe.
  • A 58-byte XOR key is first decrypted using a single-byte XOR key (0x3a). The decrypted string, savntjkengkvnvblhfbegjbtnhkwrenvbjjnkhejhkwenrjvbejbrbrncbis, is then used as a rolling XOR key to decrypt the Outlook VBA project stored (encrypted) inside the .rdata section of the DLL.
  • Creates the directory structure %appdata%\Microsoft\Outlook\ recursively if it does not already exist.
  • Writes the decrypted VBA project (MiniDoor) to %appdata%\Microsoft\Outlook\VbaProject.OTM.
  • Sets the relevant Windows registry keys to downgrade Outlook security and allow the malicious project to load automatically each time Microsoft Outlook launches.

The table below shows the registry keys set by the dropper.

Subkey

Value Name

Value

Description

HKCU\Software\Microsoft\Office\16.0\Outlook\Security

Level

1

Enables all macros in Microsoft Outlook.

Software\Microsoft\Office\16.0\Outlook\Options\General

PONT_STRING

0x20

Disables the "Content Download Warning" dialog box.

Software\Microsoft\Office\16.0\Outlook

LoadMacroProviderOnBoot

1

Ensures macro provider loads when the Microsoft Outlook application starts.

Table 1: The registry keys set by the MiniDoor DLL dropper to steal email from Microsoft Outlook.

MiniDoor analysis

ThreatLabz named this VBA-based malware MiniDoor, as it appears to be a minimal version of NotDoor reported by Lab52. Similar to NotDoorMiniDoor collects emails from the infected machine, but does not support the email-based commands implemented in NotDoor. Below are key functionalities of the Outlook VBA.

  • Monitors the MAPILogonComplete event which occurs after the Outlook user has logged on. Once triggered, the macro sleeps for 6 seconds before iterating through four folders in the user’s mailbox..
  • Two pre-configured email addresses are hardcoded in the VBA macro by the threat actor:
  • The SearchNewMessageAndHandle method searches the following folders for existing emails.
    • Inbox
    • RssFeeds
    • Junk
    • Drafts
  • The stealing functionality is implemented in the ForwardEmail method, which iterates over each folder’s contents and, for each message that was not already forwarded:
    • Saves a local copy to %TEMP%\temp_email.msg.
    • Drafts a new email, attaches temp_email.msg, and sends the email to both configured recipient addresses.
  • Sets the DeleteAfterSubmit property of the mailItem to true to ensure that no copy of the message is saved in the Sent folder after it is forwarded to the threat actor.
  • For each Outlook message that is forwarded, the macro sets the AlreadyForwarded property to Yes to prevent the same message from being forwarded twice.
  • Handles the Application_NewMailEx event (triggered when new emails are received) by forwarding the received email to the above-mentioned email addresses.

The complete MiniDoor macro code is available in the ThreatLabz GitHub repository.

Dropper Variant 2

In the second dropper variant, the infection chain is more complex and involves multiple stages. Similar to the first dropper variant, after successful exploitation of CVE-2026-21509, the attack chain downloads a tool that ThreatLabz named PixyNetLoader, which drops malicious components on the endpoint and sets up the Windows environment to start the infection chain.

PixyNetLoader analysis

The dropper DLL used in variant 2 of the attack chain is new and previously undocumented.

PixyNetLoader’s string decryption mechanism is similar to the MiniDoor dropper DLL. Below are the key functionalities.

  • Creates a mutex with the name asagdugughi41.
  • Checks for the presence of EhStoreShell.dll at %programdata%\USOPublic\Data\User\EhStoreShell.dll.
  • If EhStoreShell.dll is not found at location above, then the main dropper logic is invoked.
  • All the embedded payloads are encrypted using a 0x47 byte long rolling XOR key: shfioehh243t3dcwechortjbo6k7pjl8lop7ku45ht3u4grywefdyehriobjojko5k65iyh. They are decrypted and dropped to the file system locations in the table below:

Location

Size (in bytes)

%programdata%\Microsoft OneDrive\setup\Cache\SplashScreen.png

0x39649

%programdata%\USOPublic\Data\User\EhStoreShell.dll

0x36200

%temp%\Diagnostics\office.xml

0xDE4

Table 2: Decrypted embedded payloads, including their file system drop locations and corresponding sizes.

  • Uses COM object hijacking to establish persistence. EhStorShell.dll is the legitimate name for the Enhanced Storage Shell Extension DLL. By setting the Windows registry keys listed in the table below, PixyNetLoader ensures that the next-stage malicious shellcode loader DLL is loaded each time the explorer.exe process starts.

subKey

ValueName

Value

Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32

Null

%programdata%\USOPublic\Data\User\EhStoreShell.dll

Software\Classes\CLSID\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32

ThreadingModel

Apartment

Table 3: Windows registry keys set by PixyNetLoader to ensure persistence.

  • Executes the following command using the CreateProcess Windows API to set up a Windows scheduled task. This command leverages the previously dropped office.xml file to configure the scheduled task as shown below.
schtasks.exe /Create /tn "OneDriveHealth" /XML "%temp%\Diagnostics\office.xml"

The Windows scheduled task is named OneDriveHealth and configured to launch the command below exactly one minute after the task is registered. The OneDriveHealth scheduled task launches the following command:

    
     %windir%\system32\cmd.exe
     /c (taskkill /f /IM explorer.exe >nul 2>&1) & (start explorer >nul 2>&1) & (schtasks /delete /f /tn OneDriveHealth)
   

The complete office.xml Windows scheduled task configuration file is available in the ThreatLabz GitHub repository.

Shellcode loader analysis

The dropped DLL EhStoreShell.dll is loaded in the explorer.exe process. Its key functionality is to extract shellcode embedded using steganography in the file named SplashScreen.png (that was previously dropped) and execute it.

The string decryption in the EhStoreShell.dll is similar to the MiniDoor dropper DLL. In addition, all the API names are resolved at runtime using the DJB2 API hashing algorithm.

Below are the key functionalities:

  • Loads the legitimate version of EhStorShell.dll.
  • Resolves addresses for the following exports from the legitimate DLL:
    • DllCanUnloadNow
    • DllGetClassObject
    • DllRegisterServer
    • DllUnregisterServer
  • Overwrites the export addresses in the malicious EhStoreShell.dll with the API addresses above to proxy the execution to the legitimate version of EhStorShell.dll. This is done to preserve the functionality of the COM service.

Conditional execution of malicious functionality

The EhStoreShell.dll executes its malicious logic only when both of the following conditions are met:

  • Checks the host process that loaded the DLL. The malicious functionality is invoked only when the host process is explorer.exe. If the host process is not explorer.exe, then the code remains dormant.
  • Checks whether the Sleep() API is short circuited (a common implementation used by several sandboxes) to detect the analysis environment. This check is implemented as shown below.
    • Calculates current timestamp by calling std::chrono::steady_clock::now().
    • Calls Sleep() to delay execution by 3 seconds.
    • Calculates current timestamp again by calling std::chrono::steady_clock::now().
    • If the difference between the current timestamp and the previous timestamp is greater than 2.9 seconds, only then it continues with the malicious activity. If the difference is less than 2.9 seconds, then the code assumes that the Sleep() API call has been tampered with.

PNG steganography and shellcode loader

Once all the checks pass, EhStoreShell.dll creates a new thread using beginthreadex. The thread start function performs the following actions:

  • Decrypts the PNG path, %programdata%\Microsoft OneDrive\setup\Cache\SplashScreen.png, then expands environment variables to obtain the full file path.
  • Uses steganography to extract the malicious shellcode from the PNG file.
    • Each pixel of the PNG image is represented by 4 bytes (1 byte per channel) for the red, green, blue, and alpha channels.
    • The Least Significant Bit (LSB) of each byte represents an encoded data bit, hence each byte of encoded data is stored within 8 bytes of image data (or 2 pixels)
    • The first 4 bytes of encoded data represents the payload size in little endian byte order and is followed by the cleartext payload itself.
  • Creates a mutex named dvyubgbqfusdv32.

The complete code to extract the shellcode from the PNG file is available in the ThreatLabz GitHub repository.

The shellcode is executed by the EhStoreShell.dll via the following actions:

  • Allocates executable memory using the native Windows API NtAllocateVirtualMemory.
  • Copies the extracted shellcode into the newly allocated memory region.
  • Transfers execution to the shellcode.

Shellcode analysis

The main purpose of this 64-bit shellcode is to load a .NET assembly embedded inside it. In order to load a managed assembly from native code, the shellcode uses the CLR hosting technique. Below are the key steps used to achieve managed code execution in-memory from unmanaged code.

  • Loads the mscoree.dll and oleaut32.dll libraries.
  • Initializes the .NET runtime by calling CLRCreateInstance (exported by mscoree.dll).
  • Requests the ICLRMetaHost interface, selects the .NET version v4.0.30319, and initializes ICorRuntimeHost interface.
  • Retrieves the application domain by calling ICorRuntimeHost::GetDefaultDomain, then queries this object to obtain the _AppDomain interface.
  • Uses SafeArrayCreate and SafeArrayAccessData methods to copy 0xfc00 bytes of the embedded .NET assembly into the array.
  • Calls _AppDomain::Load_3 to load the .NET assembly passed via SafeArray, enabling in-memory execution of the .NET assembly.
  • Retrieves the entrypoint of the .NET assembly and invokes it using MethodInfo::Invoke_3.

Covenant Grunt analysis

The embedded .NET assembly is a Grunt implant associated with the open source .NET Covenant C2 framework. In this sample, the implant uses the Filen API as a C2Bridge to communicate and receive tasks from the threat actor. This abuse of legitimate APIs was previously observed in other Covenant Grunt implants linked to APT28 by ThreatLabz and other researchers. 

Strings in this sample are XOR-encoded with the hardcoded string EIZ4EG2K8R and then Base64-encoded. These include the domains for querying the Filen API, the Authorization Bearer Token, and Filen parent folder UUID (fe644d8c-2601-46ea-bf7d-3db110aa08d4).