Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

MiniDoor and PixyNetLoader malicious RTF delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 45
1 unique sources, 1 articles

Summary

Hide ▲

A malicious RTF delivery chain introduced MiniDoor and PixyNetLoader, enabling email theft or Covenant Grunt deployment on targeted hosts. MiniDoor stole mail from Inbox, Junk, and Drafts and forwarded it to attacker-controlled accounts. PixyNetLoader hid shellcode in SplashScreen.png, used COM object hijacking, and only ran when explorer.exe launched it outside an analysis environment. The chain shows a flexible payload path that combines credential access and post-exploitation implanting in a single operation.

Related Happenings

FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...

Open Happening

Sefirah infostealer delivered through a malicious Hugging Face repository

Malware Activity
First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A malicious **Hugging Face** repository impersonated **OpenAI’s Privacy Filter** and delivered **sefirah**, a **Rust-based infostealer**, to **Windows** users, creating credential...

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

Lumma Stealer infection of a Context.ai employee

Malware Activity
First: 23.04.2026 11:40 Last: 23.04.2026 11:40 Sources 1

About this happening: A **Context.ai** employee was infected with **Lumma Stealer** in **February 2026**, giving attackers a likely foothold that may have seeded the wider compromise chain affecting **...

Open Happening

APT28 Operation GhostMail Zimbra phishing campaign targeting Ukrainian government entities

Campaign
First: 19.03.2026 16:55 Last: 19.03.2026 16:55 Sources 1

About this happening: **APT28**’s **Operation GhostMail** is actively targeting **Ukrainian government entities** through a phishing chain that exploits **CVE-2025-66376** in **Zimbra Collaboration Sui...

Open Happening

Timeline

  2. 03.02.2026 11:12 2 articles · 3mo ago

    APT28 weaponizes CVE-2026-21509 against targeted users

    Exploitation Observed

    Zscaler ThreatLabz observed APT28 (UAC-0001) weaponizing CVE-2026-21509 in Microsoft Office on January 29, 2026 as part of Operation Neusploit, using malicious RTF files and DLL-based loaders to target users in Ukraine, Slovakia, and Romania and deliver MiniDoor or PixyNetLoader.

    Show sources
    Open in new tab
  3. 03.02.2026 11:12 1 articles · 3mo ago

    Zscaler and CERT-UA report APT28 abuse of CVE-2026-21509

    Initial Disclosure

    Zscaler ThreatLabz and CERT-UA reported APT28 abuse of CVE-2026-21509 in Microsoft Office, including malicious RTF and Word documents, WebDAV download chains, and deployment of a COVENANT Grunt implant against more than 60 email addresses associated with Ukraine's central executive authorities.

    Show sources
    Open in new tab