{ "id": "c63a7132-cdc2-41fc-bcc1-b81f8718dee3", "created_at": "2026-04-06T00:13:46.593735Z", "updated_at": "2026-04-10T13:12:08.618744Z", "deleted_at": null, "sha1_hash": "a2a337855a8a1b00cf7e43a3f65022130dc0b49d", "title": "Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42746, "plain_text": "Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer\r\nBy About the Author\r\nArchived: 2026-04-05 14:04:43 UTC\r\nSymantec, a division of Broadcom Software, has observed threat actors exploiting the remote code execution\r\n(RCE) vulnerability known as Follina to drop malware onto vulnerable systems just days after the flaw became\r\npublic on May 27, 2022.\r\nWhat is Follina?\r\nFollina (CVE-2022-30190) is a vulnerability in the Microsoft Support Diagnostic Tool (MSDT) that allows\r\nremote code execution on vulnerable systems through the ms-msdt protocol handler scheme. The bug is present in\r\nall supported versions of Windows.\r\nThe vulnerability can be easily exploited by a specially crafted Word document that downloads and loads a\r\nmalicious HTML file through Word’s remote template feature. The HTML file ultimately allows the attacker to\r\nload and execute PowerShell code within Windows. The vulnerability can also be exploited through the RTF file\r\nformat.\r\nExploiting the flaw does not require the use of macros, eliminating the need for an attacker to trick victims into\r\nenabling macros for an attack to work.\r\nMicrosoft has since released advisories and workarounds to mitigate the vulnerability.\r\nAttackers quick to take advantage\r\nSince the details of the vulnerability started surfacing online, attackers were quick to start taking advantage of the\r\nflaw to install their payloads. Symantec has observed attackers using a similar HTML file to that used in the initial\r\nattack.\r\nFigure 1. HTML file similar to that used in initial attack\r\nFigure 1. HTML file similar to that used in initial attack\r\nWhen the HTML document is executed in the context of WinWord, msdt.exe gets spawned as a child process.\r\nThat is because of the protocol handler entry in the registry.\r\nFigure 2. Protocol handler entry in the registry\r\nFigure 2. Protocol handler entry in the registry\r\nSdiagnhost.exe is then invoked, which is the Scripted Diagnostics Native Host, and under this process the final\r\npayload process is created - in our case PowerShell.\r\nFigure 3. PowerShell is created under the Scripted Diagnostics Native Host process\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware\r\nPage 1 of 3\n\nFigure 3. PowerShell is created under the Scripted Diagnostics Native Host process\r\nMultiple attackers are using a variety of payloads at the end of successful exploitation. In one of the instances,\r\nSymantec observed the attackers deploying the remote access Trojan AsyncRAT, which had a valid digital\r\nsignature.\r\nWhen AsyncRAT runs, it carries out the anti-analysis checks shown in Figure 4.\r\nFigure 4. AsyncRAT carries out anti-analysis checks\r\nFigure 4. AsyncRAT carries out anti-analysis checks\r\nLater, AsyncRAT collects information about the infected system, including hardware identification, user name,\r\nexecuted path, and operating system information, and sends it to a command-and-control (C\u0026C) server.\r\nFigure 5. AsyncRAT collects information from the infected system\r\nFigure 5. AsyncRAT collects information from the infected system\r\nAsyncRAT then waits for commands from the C\u0026C server and executes those commands on the victim machine.\r\nSymantec has also observed attackers deploying an information stealer as a payload. The code shown in Figure 6\r\nis a snippet from the malware, which steals information including cookies and saved login data from web\r\nbrowsers such as Firefox, Chrome, and Edge.\r\nFigure 6. Snippet of code from information-stealing malware dropped by attackers exploiting\r\nFollina bug\r\nFigure 6. Snippet of code from information-stealing malware dropped by attackers exploiting\r\nFollina bug\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nSymantec protects against these attacks with the following definitions:\r\nFile-based\r\nDownloader\r\nBackdoor.ASync\r\nInfoStealer\r\nNetwork-based\r\n33748 [Web Attack: MSDT Remote Code Execution CVE-2022-30190]\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware\r\nPage 2 of 3\n\ne7faa6c18d4906257652253755cf8f9a739c10938db369878907f8ed7dd8524d\r\nb63fbf80351b3480c62a6a5158334ec8e91fecd057f6c19e4b4dd3febaa9d447\r\n8e0be5e1035777f2ea373593c214d29ad146dd0453e9b8a1cad16d787c0be632\r\nAttackers Exploit MSDT Follina Bug to Drop RAT, Infostealer\r\nKarthikeyan C Kasiviswanathan\r\nKarthikeyan C Kasiviswanathan\r\nPrincipal Threat Analysis Engineer\r\nYuvaraj Megavarnadu\r\nYuvaraj Megavarnadu\r\nSenior Threat Analysis Engineer\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/follina-msdt-exploit-malware" ], "report_names": [ "follina-msdt-exploit-malware" ], "threat_actors": [], "ts_created_at": 1775434426, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2a337855a8a1b00cf7e43a3f65022130dc0b49d.pdf", "text": "https://archive.orkl.eu/a2a337855a8a1b00cf7e43a3f65022130dc0b49d.txt", "img": "https://archive.orkl.eu/a2a337855a8a1b00cf7e43a3f65022130dc0b49d.jpg" } }