• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 

United Natural Foods Expects $400M revenue impact from June cyber attack

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • APT
  • Breaking News
  • Cyber warfare
  • Hacking
  • Malware
  • Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials

Iranian threat actors exploit MS MSHTML bug to steal Google and Instagram credentials

Pierluigi Paganini November 25, 2021

An Iranian threat actor is stealing Google and Instagram credentials of Farsi-speaking targets by exploiting a Microsoft MSHTML bug.

Researchers from SafeBreach Labs spotted a new Iranian threat actor that is using an exploit for a Microsoft MSHTML Remote Code Execution (RCE) flaw in attacks aimed at Farsi-speaking victims. The exploit is used to install a PowerShell stealer, tracked by the researchers as PowerShortShell, that steals Google and Instagram credentials of the victims.

The campaign was first spotted in mid-September 2021 by ShadowChasing.

hi threat
why did you use it 😀
ITW:858404225565c80972ba66d2c612e49f
filename:جنایات خامنه ای.docx
URL:
hxxp://hr.dedyn.io/word.html
hxxp://hr.dedyn.io/word.cab
hxxp://hr.dedyn.io/1.ps1
hxxp://hr.dedyn.io/upload.aspx?fn=
hxxp://hr.dedyn.io/upload2.aspx pic.twitter.com/fHsgAshCNc

— Shadow Chaser Group (@ShadowChasing1) September 15, 2021

The PowerShortShell stealer is also used for Telegram surveillance and gathering system information from infected systems.

“SafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year and achieved the last and most interesting piece of the puzzle – the PowerShell Stealer code – which we named PowerShortShell.” reads the analysis published by SafeBreach Labs. “The reason we chose this name is due to the fact that the stealer is a PowerShell script, short with powerful collection capabilities – in only ~150 lines, it provides the adversary a lot of critical information including screen captures, telegram files, document collection, and extensive data about the victim’s environment.”

The campaign targets Windows users, the attack chain starts with spear-phishing emails using malicious Winword attachments that exploit a Microsoft MSHTML remote code execution (RCE) flaw tracked as CVE-2021-40444.

Most of the victims are located in the United States, threat actors use the “Corona massacre” lure, a circumstance that confirmed the attackers are targeting Iranians who live abroad. Upon opening the document a DLL is dropped on the target system, then it is used to execute the PowerShortShell stealer payload.

The PowerShortShell collects data and exfiltrates it to a C2 server under the control of the attacker.

“The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is quite unique to Iranian threat actors which in most cases heavily rely on social engineering tricks.” continues the experts.

In mid-September, Microsoft reported that multiple threat actors, including ransomware operators, were exploiting the recently patched Windows MSHTML remote code execution security flaw (CVE-2021-40444) in attacks against organizations. The IT giant said that threat actors started targeting this issue on August 18, before Microsoft shared mitigation for this vulnerability, the attackers used weaponized Office documents. The campaigns observed August 2021 likely employed emails impersonating contracts and legal agreements, the messages used documents that were hosted on file-sharing sites. 

“In August, Microsoft Threat Intelligence Center (MSTIC) identified a small number of attacks (less than 10) that attempted to exploit a remote code execution vulnerability in MSHTML using specially crafted Microsoft Office documents. These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders.” reads the post published by Microsoft. “These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.”

Experts noticed that loaders employed in the attacks connected with the C2 infrastructure connected with several cybercrime campaigns, including ransomware operators.

cve-2021-40444 attacks

MSTIC researchers tracked a large cluster of malicious activity involving Cobalt Strike infrastructure under the name DEV-0365, which has many similarities with another Cobalt Strike infrastructure that suggests it was managed by a third-party threat actor. 

Experts pointed out that the availability of information about the CVE-2021-40444 issue shared online allowed threat actors to create their own exploit

The report published by SafeBreach also includes indicators of compromise for the attacks orchestrated by the Iranian threat actors.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, MSHTML)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

CVE-2021-40444 Cybercrime Hacking hacking news information security news IT Information Security malware MSHTML Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 22, 2025
SharePoint under fire: new ToolShell attacks target enterprises
Read more
Pierluigi Paganini July 22, 2025
CrushFTP zero-day actively exploited at least since July 18
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

    APT / July 21, 2025

    U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

    Hacking / July 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT