ALERT: HAWKBALL Backdoor exploiting Microsoft Office Vulnerabilities

A campaign targeting government organizations in Central Asia was discovered delivering a backdoor named HAWKBALL Exploit. This backdoor can collect information from the victim’s system and it can also deliver various payloads. It also offers an attacker a range of malicious capabilities that includes examining the host, executing native Windows commands, terminating processes, creating, deleting files, uploading files, searching for files, and enumerating drives. However, a vulnerability management tool can stop this.

HAEKBALL Exploit

The campaign uses well-known Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to infect its targets with the malware. Once infected, the main payload’s shell-code is dropped, decrypted, and executed on the victim system. However, a patch management solution can help this not to get infected. The payload also includes an encrypted configuration file that defines the C2 IP address to communicate with. After establishing the connection with C2 server, HAWKBALL’s actions defined by the commands received from C2 server.

Various commands supported by HAWKBALL Exploit include :

image credit: fireeye.com

HAWKBALL Exploit also includes anti-debugging techniques like,

Querying the value for the flag ‘BeingDebugged’ from PEB to check whether the process debugs.
Using NtQueryInformationProcess API to detect if the process debugs

Microsoft Spam Campaign Warning:

Also, On 7th June 2019, Microsoft issued a warning about an active malware campaign using emails in European languages. However, The emails contain RTF files that carry the CVE-2017-11882 exploit and allows attackers to automatically run malicious code without user interaction.

The warning was provided via a tweet that reads as,

The vulnerability can simply exploited by simply enticing users to opening the attached document. When the attachment opened, it executes multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. Microsoft added that the final payload executable is a backdoor waiting to connect to its C2 server.

Affected:

Microsoft Office 2007, Microsoft Office 2010, Microsoft Office2013, Microsoft Office 2016

Impact:

Successful exploitation of these vulnerabilities could allow an attacker to run arbitrary code in the context of the current user, taking complete control of an affected system.

Solution:
Please refer to this KB article.

Squidbleed: A 29-Year-Old Squid Proxy Flaw That Leaks Cleartext HTTP Requests

Jun 23, 2026

CVE Research

AryStinger Malware Leverages 4,300+ Legacy Routers to Establish Persistent Spy Infrastructure

AryStinger represents a calculated shift in IoT threat methodology, abandoning noisy, destructive payloads in favor of silent, long-term reconnaissance infrastructure. By exploiting unpatched, end-of-life routers and NAS devices through decade-old vulnerabilities, the threat operator has assembled a distributed fleet of over 4,300 Executor nodes capable of conducting parallelized DNS enumeration, port scanning, and service fingerprinting at scale, all while masking origin behind residential IP addresses. With active development ongoing and a potential operational timeline stretching back to 2024, AryStinger underscores a growing and underappreciated risk: forgotten edge hardware is not merely a compliance gap but exploitable infrastructure.

Jun 23, 2026

CVE Research

From Emergence to Dominance: INC Ransomware Surpasses 830 Victims and Strengthens Its RaaS Operations

INC Ransomware has rapidly evolved into one of the most active ransomware-as-a-service (RaaS) operations in 2026, claiming responsibility for more than 830 victims worldwide since its emergence in August 2023. Security researchers attribute its growth to a combination of aggressive affiliate recruitment, opportunistic targeting, and the disruption of major ransomware groups such as ALPHV/BlackCat and LockBit, which created opportunities for newer actors to expand their influence within the cybercrime ecosystem.

Jun 19, 2026