EXECUTIVE SUMMARY
A supply chain attack was identified involving a widely used document editing application, where official installation packages distributed through the legitimate website were replaced with malicious versions. The altered installers were signed using an unauthorized certificate, allowing them to bypass casual trust checks and appear authentic to end users. Because the software is commonly used by developers and technical staff who often work with sensitive data and privileged environments, the scope of potential exposure is significant. Intelligence analysis confirmed that the compromised installers delivered fully operational information-stealing malware rather than limited or experimental code. This significantly increased the risk of large-scale data theft affecting both individual users and organizational environments. The incident highlights how abuse of trusted software distribution channels remains an effective tactic, as a single compromise can silently reach many systems without exploiting software flaws. Defensive monitoring shows that intelligence-driven detection was able to identify the malicious installers, reinforcing the importance of proactive threat visibility when facing supply chain-based attacks that rely on trust rather than exploitation.
The malicious installer embeds a script that initiates a multi-stage data theft process. Early execution disables logging to reduce visibility and initializes encryption routines to protect stolen data during storage and transmission. The malware collects system and user details, then enumerates files from common user directories before encrypting the results. It expands collection to include operating system credentials, network and VPN configurations, browser cookies, saved logins, and user settings. Numerous communication and collaboration applications are targeted, allowing attackers to harvest a broad range of authentication material. A screenshot function captures the active desktop to add contextual intelligence. All collected data is packaged into a compressed archive for exfiltration. The malware includes logic to avoid execution on systems using certain language settings, suggesting controlled targeting. Persistence is achieved through a deceptive browser extension that supports continuous data theft, fallback communication domains, and remote command execution.
This attack demonstrates the serious impact of software supply chain compromise combined with comprehensive information-stealing functionality. By leveraging a trusted installer, the attackers gained immediate access to endpoints that may otherwise have strong security controls. The volume and diversity of collected data indicate intent to support long-term access, follow-on intrusions, and broader abuse of compromised accounts. The addition of a persistent browser component further increases the difficulty of remediation and enables ongoing surveillance. The operation shows clear signs of planning, including targeting controls and resilient command infrastructure. From a defensive standpoint, the incident reinforces the need for continuous validation of software behavior, not just its source or signature. Threat intelligence-backed detection proved effective in identifying the activity, underscoring its value in mitigating modern supply chain threats. Overall, the case highlights how trust in legitimate software channels can be weaponized and why layered detection remains critical.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1562.002 | Impair Defenses | Disable Windows Event Logging |
| T1027 | Obfuscated Files or Information | — | |
| Persistence | T1176 | Browser Extensions | — |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1552.001 | Unsecured Credentials | Credentials In Files | |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1005 | Data from Local System | — |
| T1113 | Screen Capture | — | |
| T1056.001 | Input Capture | Keylogging | |
| T1115 | Clipboard Data | — | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1568.002 | Dynamic Resolution | Domain Generation Algorithms | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details: