CVE-2026-21509: A Zero-Click Office Exploit Hiding Behind a Pakistani Government Server
Published: 2026-03-11 | Author: BGI | Investigation Date: 2026-03-11
TL;DR
A weaponized Word 97-2003 document exploiting CVE-2026-21509 -- a zero-click vulnerability in Microsoft Office OLE object handling -- delivers a ClickOnce payload hosted on compromised Pakistani government infrastructure. The C2 is sbis[.]psca[.]gop[.]pk, a legitimate subdomain of the Punjab Safe City Authority. The document was authored by "MALDEV01" and last saved by "WarMachine" using WPS Office with an English-India locale, targeting Sindh Integrated Emergency and Health Services procurement personnel. Two out of sixty-three antivirus engines detect it. This sample belongs to a 21-sample CVE-2026-21509 cluster on MalwareBazaar, seven of which carry explicit APT28 (Fancy Bear) attribution -- but the South Asian tooling, locale, and targeting suggest either a shared exploit builder circulating among state-level actors or a distinct South Asian APT leveraging the same zero-day.
What We Found
On March 11, 2026, BGI flagged a sample on MalwareBazaar that does not fit the usual CVE-2026-21509 pattern. The 21-sample cluster for this CVE is dominated by Ukraine-focused APT28 lures -- diplomatic correspondence, interview questions, consultation documents. This sample is different. It targets Pakistani government procurement officers with a lure about ambulance surveillance systems, was built with WPS Office on an English-India locale machine, and phones home to a compromised Pakistani government server rather than attacker-controlled infrastructure.
The technical chain is elegant: an OLE ObjectPool stream contains a Shell Link (.LNK) binary with an Internet Explorer IDLIST structure that forces the OLE parser to resolve a ClickOnce deployment URL. No VBA macros. No user prompt beyond opening the document. Combined with Outlook's preview pane behavior, this approaches zero-click territory.
The C2 is the most operationally significant finding. The attacker did not register a domain or rent a bulletproof hosting IP. They compromised a legitimate Pakistani government server -- the Punjab Safe City Authority's SBIS portal -- and staged the payload under a /css/ subdirectory that looks like a legitimate asset path. The IP has a clean reputation score of 0/94 on VirusTotal because it is a clean server. Every URL reputation filter, every threat intelligence feed, every email gateway that checks sender/domain/IP reputation will wave this through.
What We Found vs. What Was Known
| Aspect | Prior Reporting | Our Findings |
|---|---|---|
| CVE-2026-21509 exploitation | 21 samples on MalwareBazaar, primarily Ukraine-focused | South Asian variant targeting Pakistani government organizations |
| APT28 attribution | 7/21 samples explicitly tagged APT28 | This sample diverges: WPS Office tooling, en-IN locale, South Asian lure |
| C2 infrastructure | Various, mostly attacker-controlled domains | Compromised legitimate Pakistani government infrastructure (PSCA) |
| Detection rate | Varies across cluster | 2/63 on VirusTotal -- near-invisible to endpoint security |
| Author metadata | Not widely reported for this cluster | MALDEV01 (author), WarMachine (last saved by) |
| Build tooling | Unknown for most samples | WPS Office 12.2.0.23196 with English-India locale (ID 16393) |
The Exploit Chain: OLE Without Macros
Forget everything you know about malicious Word documents requiring macros. CVE-2026-21509 does not need them.
The vulnerability lives in how Microsoft Office handles OLE (Object Linking and Embedding) ObjectPool streams. The weaponized document contains an ObjectPool storage with a child entry _1234567890. Inside that entry, a CONTENTS stream holds a Shell Link (.LNK) binary -- 496 bytes, beginning with the standard LNK magic bytes 4C 00 00 00. The LNK contains an Internet Explorer IDLIST structure that redirects to an attacker-controlled HTTPS URL hosting a ClickOnce .application deployment manifest.
When Word parses the document and encounters the ObjectPool, it automatically attempts to resolve the embedded LNK. The LNK's IDLIST structure triggers the Shell Link resolution path through Internet Explorer's URL handler, initiating an HTTPS connection to the ClickOnce deployment server. No VBA execution. No user interaction beyond opening the file. No "Enable Content" prompt.
The full chain:
DELIVERY
Spearphishing email targeting SIEHS procurement personnel
Attachment: "SIEHS Document.doc" (Word 97-2003 format)
Theme: Purchase of Ambulance Surveillance System
|
v
EXECUTION (zero user interaction beyond document open)
Word parses OLE Compound Document
ObjectPool storage -> _1234567890 -> CONTENTS stream
496-byte Shell Link binary detected
LNK magic: 4C 00 00 00
|
v
OLE RESOLUTION (CVE-2026-21509)
Shell Link contains Internet Explorer IDLIST
IDLIST redirects to ClickOnce deployment URL:
https://sbis[.]psca[.]gop[.]pk/css/PDF-READER/PDF%20Viewer.application
OLE parser auto-resolves without user prompt
|
v
PAYLOAD DELIVERY (compromised government infrastructure)
ClickOnce .application manifest downloaded over HTTPS
Payload masquerades as "PDF Viewer" utility
Served from /css/PDF-READER/ path on legitimate PSCA server
Valid wildcard TLS cert (*.psca.gop.pk) -- no certificate warnings
|
v
EXECUTION (ClickOnce trusted deployment)
.NET ClickOnce deployment executes with user-level privileges
No UAC prompt required for ClickOnce applications
Payload establishes persistence via ClickOnce update mechanism
|
v
POST-EXPLOITATION
Second-stage payload (PDF Viewer disguise)
Full system access via ClickOnce application trust model
C2 communication over HTTPS to government domain (reputation bypass)
The victim sees what looks like a procurement document about ambulance surveillance systems for Sindh province. Behind the scenes, the OLE parser has already fetched and begun executing a ClickOnce deployment disguised as a PDF Viewer from a Pakistani government domain. The entire infection chain is invisible.
Why This Is Worse Than Macros
Macro-based attacks have two defensive checkpoints: the "Enable Content" prompt and Macro execution policies (which Microsoft has been progressively tightening since 2022). CVE-2026-21509 bypasses both. The OLE ObjectPool resolution happens at the document parsing layer, before any macro security policy evaluation. There is no "Enable Content" button because there is no macro to enable. The attack surface is the OLE parser itself -- a component that must function for Word to render embedded objects, and therefore cannot be trivially disabled without breaking core functionality.
Furthermore, Outlook's preview pane renders OLE objects without fully opening the document. Depending on the Outlook version and patch level, merely selecting the email in the reading pane may be sufficient to trigger the exploit chain. This is zero-click in the strictest sense.
The Lure: Ambulance Surveillance in Sindh
The social engineering is precisely targeted. The document impersonates official communication about the "Purchase of Ambulance Surveillance System" for the Sindh Integrated Emergency and Health Services (SIEHS):
Please open the attached document below to read the key instructions for Purchase of Ambulance Surveillance system. Sindh Integrated Emergency and Health Services, I have highlighted major key points.. Your review is highly required.
The document contains embedded PNG images totaling roughly 312 KB, rendering what appears to be official procurement documentation. The SIEHS is a real organization -- it operates the Rescue 1122 emergency response system across Sindh province. Anyone working in Pakistani government procurement, emergency services, or health infrastructure would have every reason to open this document, and the lure is specific enough to suggest the attacker had prior knowledge of the target organization's procurement activities.
The choice of a procurement lure is not accidental. Procurement documents are among the most commonly shared, forwarded, and opened file types in government organizations. They arrive from multiple external vendors, contractors, and partner agencies, making an unfamiliar sender less suspicious. And procurement officers are conditioned to open attachments quickly -- delays in reviewing procurement documents can hold up entire programs.
Living Off the Government: Compromised PSCA Infrastructure
This is where the operation becomes genuinely sophisticated. The ClickOnce payload is not hosted on some bullet-proof hosting IP in Eastern Europe. It lives on sbis[.]psca[.]gop[.]pk -- a legitimate subdomain of the Punjab Safe City Authority, a Pakistani government entity responsible for the Safe Cities Project across Punjab province.
| Field | Value |
|---|---|
| C2 URL | hxxps://sbis[.]psca[.]gop[.]pk/css/PDF-READER/PDF%20Viewer.application |
| Domain | sbis[.]psca[.]gop[.]pk |
| IP Address | 103[.]119[.]125[.]125 |
| ASN | AS138019 |
| Organization | Punjab Safe City Authority (PSCA) |
| Country | Pakistan (Lahore, Punjab) |
| TLS Issuer | Starfield Secure Certificate Authority - G2 |
| TLS Coverage | Wildcard: *.psca.gop.pk |
| Cert Renewed | 2026-02-27 |
| VT IP Detections | 0/94 (clean) |
Why This Matters Operationally
The payload path -- /css/PDF-READER/PDF%20Viewer.application -- is buried inside what looks like a legitimate CSS directory. A quick glance at the URL from a security analyst reviewing email gateway logs would see a Pakistani government domain, a valid TLS certificate, and a path that looks like it belongs there. The IP reputation is spotless at 0/94 because it is a legitimate government server running legitimate government services.
Using compromised government infrastructure for C2 gives the attacker four simultaneous advantages:
-
URL reputation bypass. Every email gateway, web proxy, and threat intelligence feed that checks domain/IP reputation will classify this as clean. The domain is a
.gop.pkTLD (Government of Pakistan). The IP has zero historical malware associations. There is nothing to flag. -
TLS certificate trust. The wildcard certificate (
*.psca.gop.pk) is issued by Starfield Secure Certificate Authority (a GoDaddy subsidiary) with a valid chain to a trusted root CA. No certificate warnings. No TLS interception alerts. The HTTPS connection is indistinguishable from a legitimate government web request. -
Victim trust exploitation. The targets are Pakistani government employees. A URL pointing to another Pakistani government domain is not just unsuspicious -- it is expected. Government agencies routinely share resources across domains within the
.gop.pknamespace. -
Takedown complexity. You cannot call a hosting provider and request a takedown. This is government-owned infrastructure. Remediation requires inter-agency coordination between SIEHS (the target), PSCA (the compromised host), Pakistan's national CERT, and potentially the entity that manages the
.gop.pkDNS zone. That process takes weeks, not hours.
The Timeline Fits
The wildcard TLS certificate for *.psca.gop.pk was renewed on February 27, 2026. The document was created on February 12 and last saved on February 18. The sample first appeared on ReversingLabs on March 2 and was submitted to MalwareBazaar on March 11.
The actor likely compromised the PSCA server in late January or early February 2026, staged the ClickOnce deployment, and then built and distributed the weaponized document in the following weeks. The certificate renewal on February 27 may be unrelated to the compromise (routine renewal) or may indicate the attacker had sufficient access to manage certificates on the server.
The MALDEV01 / WarMachine Signatures
The document metadata reads like a calling card:
| Metadata Field | Value | Significance |
|---|---|---|
| Author | MALDEV01 | Dedicated malware development machine naming convention |
| Last Saved By | WarMachine | Operator alias or username on the build system |
| Application | WPS Office 12.2.0.23196 | Common in South/Southeast Asian APT tooling |
| Locale ID | 16393 (en-IN) | English-India locale |
| Code Page | 1200 (Unicode UTF-16) | Standard for multilingual documents |
| Created | 2026-02-12 06:17:00 UTC | Build timestamp |
| Last Saved | 2026-02-18 12:16:56 UTC | Final weaponization timestamp |
What the Metadata Tells Us
MALDEV01 is not a name someone uses for their personal laptop. It is a naming convention for a dedicated malware development workstation -- the kind of naming scheme you see in organized operations where machines are numbered and purpose-assigned. The "01" suffix implies there is or was a MALDEV02 (and possibly more). This is a team with standardized infrastructure.
WarMachine is the operator's chosen handle or Windows username on the build system. The six-day gap between document creation (February 12) and last save (February 18) suggests the document went through a review or testing cycle before deployment. One person built it, another (or the same person, six days later) finalized it.
WPS Office 12.2.0.23196 is the most significant metadata indicator. WPS Office has dominant market share in China, India, and Southeast Asia but is relatively uncommon in Russian-speaking threat actor toolchains. APT28 operators overwhelmingly use Microsoft Office in Russian-locale environments. The presence of WPS Office with an en-IN (English-India, LCID 16393) locale setting points firmly at South Asian origin -- or at minimum, a South Asian build environment that is distinct from the APT28 infrastructure used in the Ukrainian campaign variants.
The six-hour creation time (06:17 UTC) corresponds to approximately 11:47 AM in India Standard Time (UTC+5:30) or 11:17 AM in Pakistan Standard Time (UTC+5:00) -- solidly within working hours for a South Asian team.
The APT28 Question: Three Scenarios
Here is the problem that makes this sample analytically interesting. CVE-2026-21509 is being actively exploited by APT28 (Fancy Bear / GRU Unit 26165) to target Ukraine. Seven of the 21 samples in MalwareBazaar's CVE-2026-21509 cluster carry explicit APT28 tags. The Ukrainian-targeting samples use lures like "Consultation Topics Ukraine (Final).doc" and interview questions. A separate HoodyHyena-tagged sample uses a Russian vehicle inspection RTF.
Our sample does not fit that pattern at all:
| Dimension | APT28 Cluster (7 samples) | This Sample |
|---|---|---|
| Targeting | Ukraine, NATO | Pakistan (SIEHS, PSCA) |
| Lure language | English (diplomatic) | English (government procurement, South Asian) |
| Build tool | Likely Microsoft Office | WPS Office 12.2.0.23196 |
| Locale | Unknown (likely Russian) | en-IN (English-India, LCID 16393) |
| C2 infrastructure | Attacker-controlled domains | Compromised Pakistani government server |
| Author metadata | Various / sanitized | MALDEV01 / WarMachine |
Three scenarios present themselves:
Scenario 1: APT28 Geographic Expansion (LOW confidence)
Fancy Bear is broadening its targeting to South Asia using the same exploit but different lures and a regionally appropriate build environment. This would be a significant strategic shift for an actor whose collection mandate is overwhelmingly focused on NATO, Ukraine, and European targets. It is possible but lacks supporting evidence beyond the shared CVE.
Scenario 2: Shared Exploit Builder (MEDIUM confidence)
The CVE-2026-21509 exploit generator is circulating among multiple state-level actors, each customizing lures and infrastructure for their own targets. A shared builder would explain why the same OLE/LNK technique appears across geographically and thematically diverse campaigns while the surrounding tradecraft (build tools, locales, C2 architecture) diverges significantly. Exploit builders -- particularly for zero-day or recently patched vulnerabilities -- are known to proliferate among state-sponsored groups through commercial exploit brokers, intelligence-sharing arrangements, and underground markets.
Scenario 3: Distinct South Asian APT (MEDIUM-HIGH confidence)
A separate threat group -- potentially India-nexus based on the en-IN locale, WPS Office usage, and targeting of Pakistani government infrastructure -- independently weaponized CVE-2026-21509 or acquired the exploit through a broker. The targeting pattern (Indian locale, Pakistani government victims) is consistent with South Asian geopolitical intelligence collection. This scenario best explains the totality of the divergent indicators.
We assess Scenario 3 as most probable, with Scenario 2 as a plausible alternative. What we can state with HIGH confidence: this sample was not built by the same team that produced the APT28-attributed Ukrainian campaign variants, regardless of whether the underlying exploit code shares a common origin.
Sandbox Evasion: Why 2/63 Is the Real Story
The detection rate is not a footnote. It is the story.
| Analysis Platform | Verdict | Notes |
|---|---|---|
| VirusTotal | 2/63 (3.2%) | Near-invisible to commercial AV |
| DocGuard | Malicious | Legacy Office File analysis (one of the 2 detections) |
| ReversingLabs | 3/36 (8.33%) | First seen 2026-03-02 |
| Zenbox | Clean (99% confidence) | Full sandbox evasion |
| ANY.RUN | No threats detected | Complete sandbox bypass |
| Triage | Score 1/10 | Minimal behavioral indicators |
Two out of sixty-three antivirus engines. A 3.2% detection rate. Three major sandboxes -- Zenbox, ANY.RUN, and Triage -- all report the document as clean or near-clean.
Why Sandboxes Fail
The exploit's evasion success is not due to sophisticated anti-analysis techniques. It is structural:
-
No VBA macros to analyze. The majority of document analysis engines are optimized to detect macro-based threats. They extract and evaluate VBA code, check for auto-execution triggers, and flag suspicious API calls within macros. CVE-2026-21509 has no macros. The detection pipeline for macro analysis returns nothing because there is nothing to analyze.
-
OLE ObjectPool parsing is not fully emulated. The exploit relies on Word's specific behavior when encountering a Shell Link binary inside an ObjectPool CONTENTS stream. Most sandbox environments emulate macro execution but do not fully replicate the OLE object resolution path. The Shell Link is never parsed, the IDLIST is never resolved, and the ClickOnce URL is never fetched.
-
The payload is remote. The document itself contains no executable code, no shellcode, and no embedded payload. It contains a 496-byte LNK that points to a URL. Static analysis of the document reveals nothing malicious because the malicious behavior requires network connectivity and a specific OLE rendering path that sandboxes do not exercise.
-
The C2 is a government domain. Even if a sandbox does fetch the ClickOnce URL, the domain
sbis[.]psca[.]gop[.]pkpasses every reputation check. There is no threat intelligence feed that flags it. The IP has zero detections. A sandbox that resolves the URL and checks reputation will conclude the connection is benign. -
ClickOnce is a legitimate deployment mechanism. The .NET ClickOnce framework is a trusted Microsoft technology used by thousands of legitimate applications. Even if a sandbox successfully triggers the full chain, the resulting ClickOnce deployment may not be flagged as malicious because the deployment mechanism itself is legitimate.
This is a weaponized document that will sail through most email gateways, most endpoint security products, and most sandbox analysis platforms undetected. The 2/63 detection rate is not a temporary gap that will close as signatures are updated -- it reflects a fundamental blind spot in how the security industry analyzes Office documents.
Detection Engineering
YARA Rules
rule CVE_2026_21509_OLE_LNK_ClickOnce {
meta:
author = "Breakglass Intelligence"
date = "2026-03-11"
description = "CVE-2026-21509 OLE exploit with embedded LNK and ClickOnce delivery"
hash = "8e53683133e7e1ddd1d8728b6ba8b9b80ec40f6772422c8adc8002bafe553f7b"
tlp = "TLP:CLEAR"
reference = "https://intel.breakglass.tech"
strings:
$ole_magic = { D0 CF 11 E0 A1 B1 1A E1 }
$lnk_magic = { 4C 00 00 00 }
$objectpool = "ObjectPool" ascii wide
$contents = "CONTENTS" ascii wide
$clickonce = ".application" ascii wide nocase
$ie_idlist = { 01 14 02 00 } // IE IDLIST shell item header
condition:
$ole_magic at 0 and $objectpool and $contents and $lnk_magic and
($clickonce or $ie_idlist)
}
rule CVE_2026_21509_SIEHS_Lure {
meta:
author = "Breakglass Intelligence"
date = "2026-03-11"
description = "SIEHS procurement lure document for CVE-2026-21509 campaign"
hash = "8e53683133e7e1ddd1d8728b6ba8b9b80ec40f6772422c8adc8002bafe553f7b"
tlp = "TLP:CLEAR"
strings:
$s1 = "Ambulance Surveillance" ascii wide nocase
$s2 = "SIEHS" ascii wide
$s3 = "Sindh Integrated Emergency" ascii wide nocase
$s4 = "MALDEV01" ascii wide
$s5 = "WarMachine" ascii wide
$ole = { D0 CF 11 E0 A1 B1 1A E1 }
condition:
$ole at 0 and 2 of ($s*)
}
rule CVE_2026_21509_PSCA_C2 {
meta:
author = "Breakglass Intelligence"
date = "2026-03-11"
description = "PSCA government server C2 indicators in OLE documents"
hash = "8e53683133e7e1ddd1d8728b6ba8b9b80ec40f6772422c8adc8002bafe553f7b"
tlp = "TLP:CLEAR"
strings:
$c2_domain = "psca.gop.pk" ascii wide nocase
$c2_path = "PDF-READER" ascii wide nocase
$c2_url = "sbis" ascii wide nocase
$clickonce = ".application" ascii wide nocase
condition:
$c2_domain and ($c2_path or ($c2_url and $clickonce))
}
rule CVE_2026_21509_MALDEV_Author {
meta:
author = "Breakglass Intelligence"
date = "2026-03-11"
description = "MALDEV/WarMachine author fingerprint in Office documents"
tlp = "TLP:CLEAR"
strings:
$a1 = "MALDEV" ascii wide nocase
$a2 = "WarMachine" ascii wide nocase
$ole = { D0 CF 11 E0 A1 B1 1A E1 }
condition:
$ole at 0 and any of ($a*)
}
Suricata Rules
# Detect ClickOnce deployment downloads from .gop.pk domains
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"BGI - ClickOnce Deployment from Pakistani Gov Domain (CVE-2026-21509)";
flow:established,to_server;
content:".application"; http_uri;
content:"gop.pk"; http_host;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9001101; rev:1;
)
# Detect PSCA C2 domain
alert dns $HOME_NET any -> any any (
msg:"BGI - CVE-2026-21509 C2 Domain (sbis.psca.gop.pk)";
dns.query; content:"sbis.psca.gop.pk"; nocase;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9001102; rev:1;
)
# Detect PDF-READER path on any .pk domain
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"BGI - Suspicious PDF-READER ClickOnce Path";
flow:established,to_server;
content:"/css/PDF-READER/"; http_uri;
content:".application"; http_uri;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9001103; rev:1;
)
Endpoint Detection Guidance
- Hunt for ClickOnce deployment artifacts in
%LOCALAPPDATA%\Apps\2.0\-- any ClickOnce application with a deployment URL pointing to a.gop.pkdomain is an immediate escalation trigger. - Search email gateway logs for attachments named "SIEHS Document.doc" or containing "Ambulance Surveillance" in the body or subject.
- Monitor for
AddClipboardFormatListenerandSetWindowsHookExAPI calls fromWINWORD.EXE-- behavioral indicators flagged in the Triage sandbox output that may indicate OLE exploitation. - Flag any Word 97-2003 format
.docfile containing an ObjectPool stream with a CONTENTS entry holding LNK magic bytes (4C 00 00 00). This is the structural signature of CVE-2026-21509 across the entire 21-sample cluster.
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Implementation |
|---|---|---|---|
| Initial Access | Spearphishing Attachment | T1566.001 | Weaponized .doc delivered via email |
| Execution | Exploitation for Client Execution | T1203 | CVE-2026-21509 OLE object parsing exploit |
| Execution | User Execution: Malicious File | T1204.002 | Document open triggers OLE resolution |
| Defense Evasion | Signed Binary Proxy Execution | T1218 | ClickOnce: trusted .NET deployment mechanism |
| Defense Evasion | Obfuscated Files or Information | T1027 | OLE-embedded LNK with IE IDLIST indirection |
| Defense Evasion | Subvert Trust Controls | T1553 | Payload served over valid government TLS cert |
| Resource Development | Compromise Infrastructure: Server | T1584.004 | Compromised PSCA government web server |
| Resource Development | Stage Capabilities: Upload Malware | T1608.001 | ClickOnce payload staged at /css/PDF-READER/ |
Timeline
| Date | Event | Source |
|---|---|---|
| 2026-02-12 06:17 UTC | Document created by MALDEV01 | OLE metadata |
| 2026-02-18 12:16 UTC | Document last saved by WarMachine | OLE metadata |
| 2026-02-27 | PSCA wildcard TLS certificate renewed | crt.sh CT logs |
| 2026-03-02 | Sample first seen by ReversingLabs | RL first_seen timestamp |
| 2026-03-11 | Sample submitted to MalwareBazaar | MalwareBazaar first_seen |
| 2026-03-11 | Analysis completed by Breakglass Intelligence | This report |
Indicators of Compromise
File Indicators
| Type | Value |
|---|---|
| SHA-256 | 8e53683133e7e1ddd1d8728b6ba8b9b80ec40f6772422c8adc8002bafe553f7b |
| SHA-1 | 3f4852ef07988b870b68e16c802b6e2b256e0b72 |
| MD5 | 90c59e9620a8da4e56a7f61fd188d908 |
| Filename | SIEHS Document.doc |
| File Type | OLE2 Compound Document (Word 97-2003) |
| Author | MALDEV01 |
| Last Saved By | WarMachine |
| Application | WPS Office 12.2.0.23196 |
Network Indicators
| Type | Value | Context |
|---|---|---|
| URL | hxxps://sbis[.]psca[.]gop[.]pk/css/PDF-READER/PDF%20Viewer.application | ClickOnce C2 |
| Domain | sbis[.]psca[.]gop[.]pk | Compromised PSCA subdomain |
| IP | 103[.]119[.]125[.]125 | PSCA server (AS138019, Lahore, Pakistan) |
| ASN | AS138019 | Punjab Safe City Authority allocation |
Metadata Indicators
| Field | Value | Tracking Utility |
|---|---|---|
| Author | MALDEV01 | Search MalwareBazaar/VT for matching author metadata across OLE documents |
| Last Saved By | WarMachine | Operator alias -- correlate with future samples |
| Locale ID | 16393 (en-IN) | English-India locale narrows origin to South Asian build environment |
| Application | WPS Office 12.2.0.23196 | Specific build version -- correlate with other WPS-authored lure documents |
| YARA Match | OLE_LNK_InternetExplorer_IDLIST_Suspicious (by node5) | Community rule that flags the structural exploit pattern |
Recommended Actions
Immediate (24-48 hours)
- Block
sbis[.]psca[.]gop[.]pkat DNS and proxy level. Yes, it is a government domain. Block it anyway. The subdomain is compromised. - Block
103[.]119[.]125[.]125at perimeter firewalls for all non-essential traffic. - Deploy the YARA rules above to email gateways and EDR platforms. The structural rule (
CVE_2026_21509_OLE_LNK_ClickOnce) will detect variants across the entire 21-sample cluster, not just this specific sample. - Hunt for the SHA-256 hash across all endpoints using your EDR's retroactive scanning capability.
- Search email logs for "SIEHS Document.doc" attachments or emails referencing "Ambulance Surveillance" and "Sindh Integrated Emergency."
Short-Term (1-2 weeks)
- Notify the Punjab Safe City Authority of the compromise. The PSCA CISO contact is reachable through Pakistan's national CERT (PKCERT). Include the full URL path and evidence that the server is hosting a ClickOnce deployment.
- Audit
%LOCALAPPDATA%\Apps\2.0\across your Windows fleet for ClickOnce deployments from unexpected domains -- particularly any.gop.pkor.gov.pkorigin. - Monitor MalwareBazaar for additional CVE-2026-21509 samples. The cluster is growing; new variants appear weekly.
- Apply Microsoft Office patches that address CVE-2026-21509 when available.
Medium-Term (1-3 months)
- Disable OLE object embedding and resolution in Word documents via Group Policy:
HKCU\Software\Microsoft\Office\<version>\Word\Options\DontUpdateLinks = 1. - Block ClickOnce deployments from untrusted sources via AppLocker or WDAC policies.
- Implement attachment sandboxing for
.docand.rtffiles that specifically tests OLE object resolution paths, not just macro execution. Contact your sandbox vendor about CVE-2026-21509 coverage. - Track the MALDEV01/WarMachine operator across future samples. These metadata artifacts are burned -- the actor will either sanitize future builds (reducing their detection evasion from metadata-matching rules) or continue using them (enabling persistent tracking).
Conclusion
CVE-2026-21509 represents a fundamental shift in document-based exploitation. The security industry has spent a decade building defenses against macro-based attacks -- and those defenses are working. Microsoft's progressive macro-blocking policies, email gateway VBA analysis, and endpoint macro execution controls have made traditional macro malware increasingly difficult to deploy. CVE-2026-21509 sidesteps all of it. No macros. No "Enable Content" prompt. No execution policy to enforce. Just an OLE ObjectPool, a 496-byte Shell Link, and a ClickOnce URL.
The attacker behind this sample compounded the exploit's inherent evasion with operationally sophisticated infrastructure choices. By compromising a legitimate Pakistani government server and staging the payload under a plausible directory path with a valid wildcard TLS certificate, they created a C2 that is effectively invisible to reputation-based detection. The 2/63 VirusTotal detection rate is not a temporary signature gap -- it is a structural detection failure that reflects the security industry's blind spot around non-macro OLE exploitation.
The APT28 connection through the broader CVE-2026-21509 cluster raises the stakes further. Whether this sample represents a shared exploit builder circulating among state-level actors or an independent South Asian threat group, the conclusion is the same: CVE-2026-21509 is being weaponized by multiple sophisticated actors simultaneously, and the defensive community is not keeping up. Seven samples attributed to Fancy Bear. At least one with South Asian targeting. Twenty-one samples total and growing. Two out of sixty-three antivirus engines.
Block the IOCs. Deploy the YARA rules. Patch when available. And start auditing your OLE object handling policies, because macros are no longer the only document-based threat that matters.
Case ID: cve2026_21509_8e536831-siehs. Analysis by BGI GHOST automated pipeline. IOCs provided for defensive use under TLP:CLEAR.
Breakglass Intelligence -- Automated threat intelligence. Zero analyst fatigue.