A sophisticated malware campaign is leveraging a convincing Boeing Request for Quotation (RFQ) to trick industrial suppliers and procurement teams into downloading malicious files. The attack, dubbed NKFZ5966PURCHASE, impersonates legitimate Boeing communications, leading victims to open a compromised Word document that initiates a covert, six-stage kill chain. This stealthy operation culminates in the in-memory deployment of Cobalt Strike, a powerful post-exploitation tool, leaving minimal detectable traces on the victim’s system. This innovative use of common file formats and legitimate tools presents a significant challenge for current cybersecurity defenses.
The campaign came to light on March 30, 2026, when cybersecurity researcher @JAMESWT_WT shared details of a suspicious DOCX file on the social media platform X. Further analysis by security communities quickly identified additional samples associated with the same campaign, with multiple variants of the lure document appearing within days. Analysts at BreakglassIntelligence have meticulously traced the entire attack sequence, detailing how threat actors exploit vulnerable systems through a series of file types, including DOCX, RTF, JavaScript, PowerShell, and even a complete Python runtime, before achieving their objective.
Inside the Stealthy Boeing RFQ Malware Campaign
The social engineering aspect of this attack is highly effective. Threat actors are sending emails that appear to originate from entities like “Joyce Malave from BOEING” or “Global Services, LLC.” These messages focus on enticing procurement and sales personnel by presenting an urgent need for quotations on high-volume orders. The emails contain malicious attachments disguised as legitimate business documents, such as “Rfq and Payment Schedule.docx,” “Product_specifications.docx,” and “RFQ_PO_ATR29026II.docx.” Despite differing filenames, all these lure documents share identical internal metadata, encryption keys, and the same underlying attack framework. Investigators noted that the base document template was created in April 2021 and weaponized in January 2026, with its original author metadata preserved, indicating a long-term planning and execution strategy.
The impact of a successful compromise is substantial. Once Cobalt Strike is active in the victim’s memory, attackers gain comprehensive control over the affected machine. This level of access allows for extensive data exfiltration, facilitates the lateral movement of the malware across the network, and enables further malicious activities, potentially leading to a complete network compromise. The campaign has shown a particular interest in targeting organizations within Italy, identifying them as secondary targets. The consistent utilization of legitimate, often Microsoft-signed tools, such as Word, PowerShell, and a signed Python binary, masks the malicious activity, making detection by traditional endpoint security solutions exceedingly difficult.
The Six-Stage Kill Chain Unveiled
The attack chain is initiated the moment an unsuspecting victim opens the weaponized DOCX file. Within the document’s internal structure, specifically in the relationships file, a malicious reference named “aFChunk” is embedded. This technique exploits a vulnerability that compels Microsoft Word to silently load a hidden, embedded RTF file. This method, known since 2017, remains potent as email security gateways often perform superficial scans of DOCX files at the ZIP archive level and fail to inspect embedded RTF content.
Once the RTF file is loaded, it contains a hex-encoded JavaScript file concealed within a control word that Word processes but does not display to the user. This JavaScript dropper, approximately 67 KB in size, employs a junk-string technique to obfuscate its core functionality. Its primary action is to utilize Windows Management Instrumentation (WMI) to launch PowerShell stealthily in a hidden window, ensuring the execution goes unnoticed by the user.
The subsequently spawned PowerShell script is engineered to disable TLS certificate checks, a move that facilitates the connection to various remote servers. Furthermore, it bypasses Windows’ Antimalware Scan Interface (AMSI) through indirect method calls, a sophisticated technique to evade detection by security software. This PowerShell script then downloads a 14.5 MB ZIP archive from Filemail.com, a legitimate Norwegian file-sharing service chosen for its reputable domain. The downloaded ZIP file is masquerading as an .mp3 file to avoid immediate suspicion.
Upon extraction, the ZIP file reveals a complete Python 3.12 runtime environment. The threat actors then execute a Python script named “Protected.py.” This script is responsible for de-obfuscating the payload, which involves stripping away five distinct layers of encryption and obfuscation: Base64, zlib compression, byte reversal, ROT13, and XOR encryption. After de-obfuscation, the script decrypts a file named “license.pdf” using AES-256-CBC. However, this “license.pdf” is not a document but rather an encrypted Dynamic Link Library (DLL).
This decrypted DLL is then reflectively loaded directly into the computer’s memory. Critically, the DLL is never written to the disk at any point during this process, making standard file-based forensic analysis exceptionally challenging. To ensure persistence, the attackers establish a registry Run key named “RtkAudUService.” This key mimics a legitimate Realtek audio service, aiming to blend in with normal system processes. The malware employs a Microsoft-signed VBS script to relaunch the loader component after every system reboot, ensuring continued access for the attackers.
Security teams are advised to implement specific monitoring and blocking measures to counter this threat. Key actions include monitoring the HKCU Run registry keys for the presence of “RtkAudUService.” Additionally, blocking requests to Filemail.com URLs can disrupt payload delivery. Finally, flagging DOCX files that contain “aFChunk” references in their internal structure can help identify and quarantine potentially malicious documents before they can initiate the attack chain.
The ongoing nature of operations like NKFZ5966PURCHASE underscores the evolving tactics of cyber threat actors. The reliance on legitimate tools and sophisticated evasion techniques highlights the continuous need for advanced threat detection and response capabilities. Organizations operating within the aerospace and defense supply chain, as well as those involved in industrial procurement, should consider this campaign a significant indicator of the threats they may face and bolster their defenses accordingly. The use of multiple, layered obfuscation and execution methods suggests a well-resourced and determined adversary, and vigilance will be paramount in the coming months.