{
	"id": "94ff7776-471b-4512-b872-db9dfaceaf44",
	"created_at": "2026-04-06T00:07:12.018584Z",
	"updated_at": "2026-04-10T03:20:05.768409Z",
	"deleted_at": null,
	"sha1_hash": "d53696dd1b79b6a24c7764822e74abd31dccb226",
	"title": "Notable Droppers Emerge in Recent Threat Campaigns | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1610750,
	"plain_text": "Notable Droppers Emerge in Recent Threat Campaigns |\r\nFortiGuard Labs\r\nBy Erin Lin\r\nPublished: 2022-07-07 · Archived: 2026-04-05 22:51:23 UTC\r\nDroppers are malicious files that deploy malware payloads to a victim's device, and are used in many threat\r\ncampaigns. During the second quarter of 2022, FortiGuard Labs observed some active droppers, including\r\nMicrosoft Excel files, as well as Windows shortcut files and ISO image files. We captured these samples from\r\nphishing emails that were combined with social engineering to trick victims into loading the malware onto their\r\ndevices. Recently, we found common malware families involving these samples to be Emotet, Qbot, and Icedid. In\r\naddition, a malware called Bumblebee, a previously rarely observed malware loader, was also found in some ISO\r\nfiles.\r\nThis blog reveals how droppers are delivered to a victim's device and how they drop malware payloads onto the\r\nvictim's local disk.\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Windows users\r\nImpact: Controls victim's device and collects sensitive information, plus delivers other malware\r\nSeverity Level: Critical\r\nMalicious Files Delivered Via Phishing Email\r\nThe droppers are spread through phishing emails in three ways. An email may:\r\nContain the dropper or a password-protected ZIP as an attachment\r\nContain an HTML file attachment that extracts a dropper when opened\r\nHave a link to download the dropper in the body of the email\r\nEach way delivers the malicious file to victims and tricks them into opening it. See the examples below.\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 1 of 9\n\nFigure 1: Email with a password-protected ZIP archive attachment\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 2 of 9\n\nFigure 2: Email with an HTML file attachment\r\nFigure 3: Email with a malicious download link\r\nWe observed the attached HTML file and the webpage of the download link use a technique called HTML\r\nsmuggling, which leverages legitimate HTML5 and JavaScript features to encode the malicious data. As shown in\r\nFigure 4, The HTML smuggling file converts the blob data into a dropper when opened in the web browser.\r\nFigure 4: HTML smuggling file\r\nThe first observation was in May. The download link in the email pointed to a web page containing HTML\r\nsmuggling. By June, the HTML smuggling file was sent directly to victims as an HTML attachment.\r\nAnalyzing the Droppers and Their Behaviors\r\nThis quarter, we captured three different samples active in the threat campaign. The first sample is an Excel file\r\nwith Excel 4.0 macros. The second is an LNK file (Windows shortcut file). The third sample is an ISO file (optical\r\ndisk image).\r\nExcel file with Excel 4.0 macros\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 3 of 9\n\nThis Excel sample is not new. It has been heavily used in Emotet campaigns since last year, as mentioned in the\r\nprevious blog. Some sheets of this sample are hidden, as shown in Figure 5, including an Excel 4.0 macro sheet\r\n\"IJEIGOPSAGHSPHP\" that contains the malicious formulas. Cell A1 in this macro sheet is named\r\n\"Auto_Open9939689536899569357795948589489469636486898953895396378943986\" and includes a built-in\r\nmacro that automatically runs the formula from that cell once the file is opened.\r\nThis macro sheet includes formulas that call the API \"URLDownloadToFileA\" to download the malware payloads\r\nfrom several different URLs. The malware payloads are actually DLL files and executed using \"regsvr32.exe\".\r\nFigure 5: The malicious formulas in the hidden macro sheet\r\nLNK file\r\nA Windows shortcut file (commonly referred to as LNK) is created to point to a specific target. Double-clicking\r\non the shortcut file will execute the target.\r\nAs shown in Figure 6, this sample includes a PowerShell code snippet in its target field. The PowerShell code\r\nconverts a base64 string into a script that contains multiple URLs to download the malware payload. Next, it\r\nattempts to download the malware payload from each URL and execute it with \"Regsvr32.exe\" until it succeeds.\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 4 of 9\n\nFigure 6: The target of the shortcut file\r\nWe also captured other samples containing different malicious code in their target field. As shown in Figure 7,\r\nthere is a command line to download a malware payload from a URL and execute it with \"Regsvr32.exe\".\r\nFigure 7: The malicious code in the target field of captured sample\r\nFigure 8 shows another malicious PowerShell code in the target field. The data is decoded to a .hta URL and\r\nexecuted using \"mshta.exe\". Next, the VBScript code in the web page of the .hta URL extracts a PowerShell code\r\nthat includes encrypted data. In the end, the encrypted data is transformed into script code to get the payload URL\r\nand download malware.\r\nFigure 8: The malicious code in the target field of a captured sample\r\nAll three examples above download and execute a malware payload, despite the differences.\r\nISO file\r\nAn ISO file (often called an ISO image), is an archive file that stores the contents of a physical disk. In Windows\r\n10, opening an ISO file by double-clicking it mounts the file on a virtual optical disc drive. Once mounted, the\r\ncontents of an ISO file can be accessed in File Explorer.\r\nThreat actors store a malware DLL file and a malicious LNK file in the ISO file. As shown in Figure 9, the DLL\r\nfile is set to a hidden attribute, so it is not visible in File Explorer by default. On the other hand, the shortcut file is\r\nused to execute the DLL file using \"Rundll32.exe\".\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 5 of 9\n\nFigure 9: The malware DLL file and malicious LNK file are stored in the ISO file\r\nConclusion\r\nIn recent threat campaigns, all droppers mentioned in the previous section are very active and used by more than\r\none malware family. Below is the malware payload of each captured dropper.\r\n Malware Dropper  Payload\r\n Excel file  Emotet and Qbot\r\n LNK file  Emotet, Qbot, and Icedid\r\n ISO file  Qbot, Icedid, and Bumblebee\r\nFigure 10 shows the notable malware activities during the past three-month period. In early April, Microsoft Excel\r\nfiles were the only file type used to spread malware. We then captured a shortcut file with the Emotet malware\r\npayload, which first appeared on April 23. This new malware attack technique was soon followed by Qbot and\r\nIcedid, spreading using shortcut files as well in early May. Later, ISO files for droppers began appearing in the\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 6 of 9\n\nmiddle of May, and the malware families involved included Qbot, Icedid, and Bumblebee. Next, HTML\r\nsmuggling attacks emerged in late May and June, including web pages and HTML file attachments. This builds\r\nmalware locally instead of delivering malicious files directly through the network to bypass the firewall.\r\nFigure 10: Timeline of dropper usage in recent threat campaigns\r\nMicrosoft Office files have been a favorite vehicle for threat actors because of the macros. However, things seem\r\nto be changing as Microsoft has added more security controls in Office files with macros. In July of 2021,\r\nMicrosoft disabled Excel 4.0 macros by default when opening an Excel file. In early April 2022, Microsoft created\r\nanother setting to block VBA macros in files from the internet by default. With more restrictions on the use of\r\nmacros for Microsoft Office files, threat actors turn to other types of files to increase compromise rates. At this\r\npoint, shortcut files provide a solid option due to double-click execution. ISO files can be automatically mounted\r\nand opened on modern versions of Windows with just a double click. In addition, ISO files take advantage of\r\nbypassing the Mark-of-the-Web trust control, making them easier to evade antivirus detection than other archive\r\nfiles. The HTML smuggling technique creates malicious files locally to bypass the restrictions on receiving files\r\nfrom the internet and emails. This explains the proliferation of shortcut files and ISO files, as well as HTML\r\nsmuggling used for malware deployment at this time.\r\nFortinet Protections\r\nFortinet customers are protected from this malware by FortiGuard’s Web Filtering, Antivirus, FortiMail,\r\nFortiClient, FortiEDR, and Content Disarm \u0026 Reconstruction (CDR) services as follows.\r\nThe phishing email with its attached malicious file can be disarmed by the FortiGuard CDR service.\r\nFortiEDR detects the Excel, shortcut, ISO, and malware payload DLL files as malicious based on their behavior.\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 7 of 9\n\nFortinet customers are protected from these malicious files and malware by FortiGuard Antivirus, which is\r\nincluded in FortiMail. It detects all malicious macro file types, including Excel 4.0 macro samples.\r\nAll malicious samples described in this report are detected by FortiGuard Antivirus as follows:\r\nXF/CoinMiner.Z!tr\r\nLNK/Agent.APX!tr\r\nLNK/Agent.PE!tr\r\nLNK/Agent.VPIX!tr.dldr\r\nLNK/PSRunner.VPHQ!tr\r\nJS/Agent.BLOB!tr.dldr\r\nThe malware payloads are detected by FortiGuard Antivirus as follows:\r\nW64/GenKryptik.FWMO!tr\r\nW32/Emotet.C!tr\r\nW32/Qbot.D!tr\r\nW64/GenKryptik.FWBH!tr\r\nW64/GenKryptik.FVFR!tr\r\nW64/Bumblebee.E!tr\r\nW64/IcedID.HG!tr\r\nIn addition, Fortinet has multiple solutions designed to train users on how to understand and detect phishing\r\nthreats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nWe also suggest that organizations have their end users go through our FREE NSE training: NSE 1 – Information\r\nSecurity Awareness. It includes a module on internet threats to train end users on how to identify and protect\r\nthemselves from phishing attacks.\r\nIOCs\r\nMalicious sample (SHA256):\r\n2fe44042cfc6602b43204e38bcbc2773d1e4f87be6aa16073625bc1b33af6877\r\n8fda14f91e27afec5c1b1f71d708775c9b6e2af31e8331bbf26751bc0583dc7e\r\n262f963f949671f429ba3c4233f493a064c08e1361d0c0689f7d3de205d5f7b1\r\n2abfb434d9f16888332ecb2d6eb7660b28e544ad67130d0050330bdb104502c3\r\nadf8cb3421c726efbadff60e97a07f6df6de98818e0978382ec388e7d32a2128\r\n4b582f38e3376346cb066e36ff8dfa32b268154bb2de13870702e8bbf366a023\r\n467bc7ff93d75009d3ba7633662dc9109297ac0f64abb078fd9c8e181abe6cca\r\nMalware payload (SHA256):\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 8 of 9\n\n00dcc4642d488643856259cd3c576d9e24045b48783fc21ebdccd5fb4de66f8c\r\n71c9cc11c107b0716eff86de98b3fbd77add1e35ceadf86519eb84b473cb862d\r\n9d4bf3e9577884295102e5dd673b81065d21d348da8ba5a3249e8f5f4c40d5d6\r\n424815ec0a4c06cb7e063c3540919f8f4b1ee369f977448b7eeaa248ef187431\r\n9eea56f945cc00c5216b3250326f8b79d3d2cac5165b250b606729e72bd2647c\r\n90576eb6754dd1c38fb4cea4bf3f029535900436a02caee891c057c01ca84941\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nhttps://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/notable-droppers-emerge-in-recent-threat-campaigns"
	],
	"report_names": [
		"notable-droppers-emerge-in-recent-threat-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434032,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d53696dd1b79b6a24c7764822e74abd31dccb226.pdf",
		"text": "https://archive.orkl.eu/d53696dd1b79b6a24c7764822e74abd31dccb226.txt",
		"img": "https://archive.orkl.eu/d53696dd1b79b6a24c7764822e74abd31dccb226.jpg"
	}
}