{
	"id": "3708e18d-b7fd-433c-a091-3b56001b8df3",
	"created_at": "2026-04-06T00:10:05.392129Z",
	"updated_at": "2026-04-10T03:21:38.959766Z",
	"deleted_at": null,
	"sha1_hash": "afaa8ca1d7cd334924ae598c08e639766efbb51f",
	"title": "From Follina to Rozena - Leveraging Discord to Distribute a Backdoor | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4314145,
	"plain_text": "From Follina to Rozena - Leveraging Discord to Distribute a\r\nBackdoor | FortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2022-07-06 · Archived: 2026-04-05 22:25:18 UTC\r\nIn May 2022, Microsoft published an advisory about CVE-2022-30190, which is about a Microsoft Windows\r\nSupport Diagnostic Tool (MSDT) remote code execution vulnerability. Attackers can inject a malicious external\r\nlink to an OLE Object in a Microsoft Office document, then lure victims to click or simply preview the document\r\nin order to trigger this exploit. It will then execute a payload on the victim’s machine. Since this vulnerability is a\r\npublic exploit and has high severity, FortiGuard Labs published an Outbreak Alert on 31st May and a blog article\r\nto address it on June 1, 2022.\r\nDuring our tracking last month, we found a document that exploited CVE-2022-30190, aka Follina, then\r\ndownloaded Rozena to deploy a fileless attack and leverage the public Discord CDN attachment service. Rozena\r\nis a backdoor malware that is capable of injecting a remote shell connection back to the attacker’s machine. In this\r\nblog we will explain how an attacker delivers this payload through this vulnerability, along with details of Rozena\r\nand its shellcode.\r\nAffected platforms: Microsoft Windows\r\nImpact parties: Microsoft Windows Users\r\nImpact: Full Control of Affected Machine\r\nSeverity: Critical\r\nExploitation\r\nThe original malicious document (SHA256:\r\n432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6) contains an external web link as in\r\nFigure 1. The relationship directory (word/_rels/document.xml.rels) is an XML file that maps relationships within\r\nthe .docx file, and also with resources outside of the package, such as links or images.\r\nFigure 1. Document.xml.rels contains a malicious external link in oleObject\r\nOnce the document is clicked (as shown in Figure 2), it starts connecting to the external Discord CDN attachment\r\nspace ‘hxxps://cdn[.]discordapp.com/attachments/986484515985825795/986821210044264468/index[.]htm’ to\r\ndownload an HTML file.\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 1 of 11\n\nFigure 2. Connecting to an external link after clicking the document\r\nAfter it downloads the HTML file (SHA256:\r\n3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3), the document then invokes msdt.exe\r\nwith a PowerShell command. The complete payload is shown in Figure 3.\r\nFigure 3. index.html invokes MSDT\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 2 of 11\n\nIt has a little obfuscation with a concatenation of separate strings that assemble at run time to hide the actual\r\ncommand and evade simple string detection. We decoded a Base64 string and the complete command is shown in\r\nFigure 4.\r\nThe PowerShell code will download one batch file cd.bat (SHA256:\r\n5d8537bd7e711f430dc0c28a7777c9176269c8d3ff345b9560c8b9d4daaca002) and start it with no window to hide\r\nitself. Then it invokes another web request to download Rozena and saves as “Word.exe” (SHA256:\r\n69377adfdfa50928fade860e37b84c10623ef1b11164ccc6c4b013a468601d88) in the Windows Tasks folder.\r\nThese two files are also downloaded from the Discord CDN attachment space with the same channelID as the\r\nexternal link in the original document.\r\nFigure 4. Base64 decoded command\r\nAs shown in Figure 5, the cd.bat file has four tasks:\r\nDownload another document, 1c9c88f811662007.docx (SHA256:\r\ne3af143ba12209fafdc3089a740d23faf59f6f1508c00d8f56f8cc9d0c8ebf89) for distraction\r\nKill processes “msdt.exe” and “WINWORD.exe” to wipe out the trace of exploiting CVE-2022-30190\r\nCreate persistence for Rozena “Word.exe” by adding registry run keys.\r\nDelete the bat file.\r\nFigure 5. cd.bat file contents\r\nDistraction\r\nBefore diving into Rozena, this attacker decided to distract the victim. The original file has no content besides an\r\nexternal link in oleObject. To keep the victim from noticing anything odd the batch file downloads another Word\r\ndocument, 1c9c88f811662007.docx with a lot of pictures in it (See Figure 6). To make it seem more real, this\r\ndocument is saved in directory C:\\\\users\\$env:USERNAME\\Downloads, with a shorter name, 18562.docx.\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 3 of 11\n\nFigure 6. Word document for distraction\r\nRozena\r\nThe attacker leverages the default Window’s feature, which is not to show the file extension. Therefore, the\r\nattacker tricks the victim as shown in Figure 7. The green one is the document for distraction with no harm, and\r\nthe red one is Rozena. It uses the Microsoft Word icon while it is an executable file. The PE header is shown in\r\nFigure 8.\r\nFigure 7. Rozena “Word.exe” uses the Microsoft Word file icon\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 4 of 11\n\nFigure 8. The File header of Rozena\r\nAfter execution, it will create a process for a PowerShell command. We can find the chain from the process\r\nexplorer (shown in Figure 9). And the full PowerShell command is shown in Figure 10, which is Base64-encoded.\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 5 of 11\n\nFigure 9. Execution of Rozena\r\nFigure 10. Full PowerShell command extracted from Rozena\r\nAs shown in Figure 11, the decoded command has only one job: inject shellcode. First, it defines a variable “$gcr”\r\nfor the whole injection procedure. It uses DLLImport for kernel32.dll and msvcrt.dll for importing specific APIs:\r\nVirtualAlloc, CreateThread, and Memset, to achieve code injection. And it has some hexadecimal bytes that define\r\nthe block of code to be injected later. Then it copies these bytes to the allocated memory and injects them into the\r\nrunning PowerShell.exe. Finally, it sets up a loop to start sleep. In the bottom part highlighted in red, it encodes\r\nthe above injection code from “$gcr” with Base64, then invokes a new PowerShell process with parameter -ec.\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 6 of 11\n\nFigure 11. Decoded PowerShell command\r\nShellcode\r\nWe extracted the shellcode from the  command shown in Figure 12 (SHA256:\r\n27F3BB9AB8FC66C1CA36FA5D62EE4758F1F8FF75666264C529B0F2ABBADE9133). To dive deep in to this,\r\nwe checked this binary with IDA. It can divide into following steps: \r\n1. Retrieve decode key\r\n2. Retrieve location relative to EIP (Figure 13)\r\n3. Decode (XOR)\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 7 of 11\n\nFigure 12. Extracted shellcode\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 8 of 11\n\nFigure 13. Retrieve location relative to EIP\r\nFrom the above instructions, we can identify this as Shikata Ga Nai (SGN) encoding. The SGN encoding schema\r\nis from the most popular exploit framework, Metasploit. It is a polymorphic XOR additive feedback encoder that\r\nallows malicious actors to evade detection. After decoding it, the main purpose of this shellcode is to start a\r\nreverse shell to the attacker’s host  microsofto.duckdns[.]org with TCP port 55911 as shown in Figure 14.\r\nFigure 14. Reverse shell\r\nThe complete attack scenario from delivering a malicious document and exploiting CVE-2022-30190 (Follina) to\r\ndeploying Rozena from the Discord CDN attachment space is shown in Figure 15.\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 9 of 11\n\nFigure 15. Attack scenario\r\nConclusion\r\nCVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware though an MS Word\r\ndocument. Microsoft already released a patch for it on June 14, 2022. In this blog we showed how an attacker\r\nexploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch\r\nimmediately and also apply FortiGuard protection to avoid the threat.\r\nFortinet Protections\r\nFortinet released IPS signature MS.Office.MSHTML.Remote.Code.Execution for CVE-2022-30190 to\r\nproactively protect our customers. The signature is officially released in IPS definition version 20.326.\r\nThe downloader and all related malware from that site are detected and blocked by FortiGuard Antivirus: \r\nMSOffice/CVE_2017_0199.A!tr\r\nBAT/Agent.1A81!tr\r\nJS/Follina.6FB9!tr\r\nData/Shikata.A!tr\r\nW32/PossibleThreat\r\nBoth the downloaded URL and attacker’s host have been rated as \"Malicious Websites\" by the FortiGuard Web\r\nFiltering service.\r\nThe oleObject data in Microsoft Office files can be disarmed by the FortiGuard Content Disarm \u0026 Reconstruction\r\n(CDR) service.\r\nAll Fortinet Protections and Outbreak Detection, Threat Hunting actions for Fortinet SOC solutions can be found\r\nin the Folina Outbreak Alert.\r\nIOCs\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 10 of 11\n\nSHA256:\r\n432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6\r\n5d8537bd7e711f430dc0c28a7777c9176269c8d3ff345b9560c8b9d4daaca002\r\n3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3\r\n27f3bb9ab8fc66c1ca36fa5d62ee4758f1f8ff75666264c529b0f2abbade9133\r\n69377adfdfa50928fade860e37b84c10623ef1b11164ccc6c4b013a468601d88\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nhttps://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nPage 11 of 11\n\nFigure 8. The After execution, File header it will create of Rozena a process for a PowerShell command. We can find the chain from the process\nexplorer (shown in Figure 9). And the full PowerShell command is shown in Figure 10, which is Base64-encoded.\n    Page 5 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor"
	],
	"report_names": [
		"follina-rozena-leveraging-discord-to-distribute-a-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434205,
	"ts_updated_at": 1775791298,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/afaa8ca1d7cd334924ae598c08e639766efbb51f.pdf",
		"text": "https://archive.orkl.eu/afaa8ca1d7cd334924ae598c08e639766efbb51f.txt",
		"img": "https://archive.orkl.eu/afaa8ca1d7cd334924ae598c08e639766efbb51f.jpg"
	}
}