A highly deceptive malware campaign is actively targeting industrial suppliers and procurement teams by disguising itself as a legitimate Request for Quotation (RFQ) from Boeing. Tracked as NKFZ5966PURCHASE, this operation uses social engineering combined with a multi-stage attack chain to infiltrate systems and deploy advanced post-exploitation tools.
The attack begins with an email impersonating a Boeing representative named “Joyce Malave.” At first glance, the message appears routine, asking recipients to provide pricing for bulk orders. However, once the victim opens the attached Word document, the infection chain starts silently in the background.
Security researcher JAMESWT first identified the campaign on March 30, 2026. Shortly afterward, multiple samples surfaced on MalwareBazaar, confirming that the campaign was rapidly expanding. Analysts from Breakglass Intelligence later mapped the full six-stage attack process.
Unlike typical malware, this campaign relies on a layered execution chain involving DOCX, RTF, JavaScript, PowerShell, Python, and finally a memory-resident payload. As a result, attackers avoid leaving obvious traces on disk, making detection significantly more difficult.
Initially, the DOCX file triggers a hidden RTF file using an aFChunk reference—a technique that exploits how Microsoft Word processes embedded content. Subsequently, the RTF file contains obfuscated JavaScript, which launches PowerShell through Windows Management Instrumentation (WMI) in a hidden window.
From there, the PowerShell script disables TLS certificate validation and bypasses Windows security mechanisms such as AMSI. It then downloads a disguised ZIP file from Filemail.com, a legitimate file-sharing service, further helping the attack blend into normal network traffic.
Inside the ZIP file, attackers include a full Python 3.12 runtime. This environment executes a heavily obfuscated script that decodes multiple layers of encryption, including Base64, zlib, ROT13, and XOR. Eventually, the script decrypts a file named license.pdf, which is actually an AES-256 encrypted DLL.
Once decrypted, the malware loads the DLL directly into memory using reflective loading techniques. Consequently, the attacker gains full control over the compromised system through Cobalt Strike, enabling data theft, lateral movement, and further network compromise.
Moreover, the malware establishes persistence by creating a registry Run key named “RtkAudUService,” mimicking a legitimate Realtek service. It uses a Microsoft-signed VBScript to ensure the payload executes after every reboot.
Notably, the campaign also targets organizations beyond its primary scope, including entities in Italy. By leveraging trusted tools like Microsoft Word, PowerShell, and signed binaries, attackers effectively bypass traditional endpoint security defenses.
Security Recommendations
To mitigate risks, organizations should monitor registry keys such as HKCU Run entries for suspicious values like “RtkAudUService.” Additionally, blocking Filemail.com URLs and detecting DOCX files with embedded aFChunk references can help identify potential threats early.
Overall, this campaign demonstrates how cybercriminals continue to refine stealth techniques, using legitimate tools and multi-layered obfuscation to execute highly effective attacks.
Recommended Cyber Technology News:
- Marqeta Adds AI Risk Scoring for Fraud Detection
- CyberCatch Holdings, Inc. Expands Sales with Strategic Partnerships
- Perplexity Launches AI Security & Privacy Research Institute
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
