""Social engineering lures were crafted in both English and localized languages (Romanian, Slovak, and Ukrainian) to target the users in the respective countries," security researchers Sudeep Singh and Roy Tay said. "The threat actor employed server-side evasion techniques, responding with the malicious DLL only when requests originated from the targeted geographic region and included the correct User-Agent HTTP header.""
"The first dropper acts as a pathway for serving MiniDoor, a C++-based DLL file that steals a user's emails in various folders (Inbox, Junk, and Drafts) and forwards them to two hard-coded threat actor email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me. MiniDoor is assessed to be a stripped-down version of NotDoor (aka GONEPOSTAL), which was documented by S2 Grupo LAB52 in September 2025."
Russia-linked UAC-0001 exploited CVE-2026-21509, a Microsoft Office security feature bypass, to deliver malicious RTF files as part of Operation Neusploit. Zscaler ThreatLabz observed exploitation on January 29, 2026, targeting users in Ukraine, Slovakia, and Romania, three days after public disclosure. Social engineering lures were crafted in English and localized Romanian, Slovak, and Ukrainian languages. The threat actor employed server-side evasion, delivering the malicious DLL only to requests from targeted geographic regions that presented the correct User-Agent header. The attack chain used two droppers: one deploying MiniDoor, a C++ DLL email stealer, and another, PixyNetLoader, that led to a Covenant Grunt implant.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]