{
	"id": "7a78346e-37d9-44cd-aabe-4df0e35ca53c",
	"created_at": "2026-04-06T00:13:38.095699Z",
	"updated_at": "2026-04-10T13:11:36.21618Z",
	"deleted_at": null,
	"sha1_hash": "2f60782945d9afdb7a4071960255b418ea13e2f9",
	"title": "Outbreak of Follina in Australia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3328543,
	"plain_text": "Outbreak of Follina in Australia\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-05 14:38:16 UTC\r\nOur threat hunters have been busy searching for abuse of the recently-released zero-day remote code execution\r\nbug in Microsoft Office ( CVE-2022-30190 ). As part of their investigations, they found evidence of a threat actor\r\nhosting malicious payloads on what appears to be an Australian VOIP telecommunications provider with a\r\npresence in the South Pacific nation of Palau .\r\nFurther analysis indicated that targets in Palau were sent malicious documents that, when opened, exploited this\r\nvulnerability, causing victim computers to contact the provider’s website, download and execute the malware, and\r\nsubsequently become infected.\r\nKey Observations\r\nThis threat was a complex multi-stage operation utilizing LOLBAS (Living off the Land Binaries And Scripts),\r\nwhich allowed the attacker to initialize the attack using the CVE-2022-30190 vulnerability within the Microsoft\r\nSupport Diagnostic Tool . This vulnerability enables threat actors to run malicious code without the user\r\ndownloading an executable to their machine which might be detected by endpoint detection.\r\nMultiple stages of this malware were signed with a legitimate company certificate to add additional legitimacy and\r\nminimize the chance of detection.\r\nFirst stage\r\nThe compromised website, as pictured in the screenshot below, was used to host robots.txt which is an\r\nexecutable which was disguised as “robots.txt”. We believe the name was used to conceal itself from detection if\r\nfound in network logs. Using the Diagnostics Troubleshooting Wizard ( msdt.exe ), this file “robots.txt” was\r\ndownloaded and saved as the file ( Sihost.exe ) and then executed.\r\nhttps://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/\r\nPage 1 of 5\n\nSecond Stage, Sihost.exe\r\nWhen the renamed “robots.txt” – “Sihost.exe” – was executed by msdt.exe it downloaded the second stage of the\r\nattack which was a loader with the hash\r\nb63fbf80351b3480c62a6a5158334ec8e91fecd057f6c19e4b4dd3febaa9d447 . This executable was then used to\r\ndownload and decrypt the third stage of the attack, an encrypted file stored as ‘ favicon.svg ’ on the same web\r\nserver.\r\nThird stage, favicon.svg\r\nAfter this file has been decrypted, it is used to download the fourth stage of the attack from\r\npalau.voipstelecom.com[.]au. These files are named Sevntx64.exe and Sevntx.lnk , which are then\r\nexecuted on the victims’ machine.\r\nhttps://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/\r\nPage 2 of 5\n\nFourth Stage, Sevntx64.exe and Sevntx64.lnk\r\nWhen the file is executed, it loads a 66kb shellcode from the AsyncRat malware family; Sevntx64.exe is\r\nsigned with the same compromised certificate as seen previously in “robots.txt”.\r\nThe screenshot below shows the executable loading the shellcode.\r\nFinal Stage, AsyncRat\r\nWhen the executable is loaded, the machine has been fully compromised with AsyncRat; the trojan is configured\r\nto communicate with the server palau[.]voipstelecom[.]com[.]au on port 443 . \r\nAsyncRat SHA256:\r\naba9b566dc23169414cb6927ab5368b590529202df41bfd5dded9f7e62b91479\r\nScreenshot below with AsyncRat configuration:\r\nhttps://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/\r\nPage 3 of 5\n\nConclusion\r\nWe highly recommend Avast Software to protect against the latest threats, and Microsoft patches to protect your\r\nWindows systems from the latest CVE-2022-30190 vulnerability.\r\nIOCs:\r\nBonus\r\nWe managed to find an earlier version of this malware.\r\nForensic information from the lnk file:\r\nhttps://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/\r\nPage 4 of 5\n\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/\r\nhttps://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia/"
	],
	"report_names": [
		"outbreak-of-follina-in-australia"
	],
	"threat_actors": [],
	"ts_created_at": 1775434418,
	"ts_updated_at": 1775826696,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f60782945d9afdb7a4071960255b418ea13e2f9.pdf",
		"text": "https://archive.orkl.eu/2f60782945d9afdb7a4071960255b418ea13e2f9.txt",
		"img": "https://archive.orkl.eu/2f60782945d9afdb7a4071960255b418ea13e2f9.jpg"
	}
}