{
	"id": "aadbcd91-a1cc-43f2-87a0-2a0a108a6c96",
	"created_at": "2026-04-06T00:11:56.958524Z",
	"updated_at": "2026-04-10T03:21:52.172633Z",
	"deleted_at": null,
	"sha1_hash": "e4cae6ec40110e0d439be7973cdb88cfb60c9aa3",
	"title": "Threat Actors Delivers New Rozena backdoor with Follina Bug – Detection \u0026 Response - Security Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 525688,
	"plain_text": "Threat Actors Delivers New Rozena backdoor with Follina Bug –\r\nDetection \u0026 Response - Security Investigation\r\nBy BalaGanesh\r\nPublished: 2022-07-11 · Archived: 2026-04-05 17:50:24 UTC\r\nFortinet FortiGuard Labs researchers observed a phishing campaign that is leveraging the recently disclosed\r\nFollina security vulnerability (CVE-2022-30190, CVSS score 7.8) to distribute the Rozena backdoor on Windows\r\nsystems. The Follina issue is a remote code execution vulnerability that resides in the Microsoft Windows Support\r\nDiagnostic Tool (MSDT).\r\nThe Rozena backdoor is able to inject a remote shell connection back to the attacker’s machine The attack chain\r\nleverages a weaponized Office document that once clicked, starts connecting to an external Discord CDN URL (\r\n‘hxxps://cdn[.]discordapp.com/attachments/986484515985825795/986821210044264468/index[.]htm ) to\r\ndownload an HTML file (index.htm).\r\nhttps://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/\r\nPage 1 of 5\n\nThen the HTML file invokes the msdt.exe tool with a PowerShell command which also invokes another web\r\nrequest to download the Rozena backdoor and save it as “Word.exe.”\r\nAlso Read: Latest IOCs – Threat Actor URLs , IP’s \u0026 Malware Hashes\r\n“The PowerShell code will download one batch file cd.bat and start it with no window to hide. Then it invokes\r\nanother web request to download Rozena and saves as “Word.exe” in the Windows Tasks folder.” reads the post\r\npublished by Fortinet FortiGuard Labs.\r\n“the attacker decided to distract the victim. The original file has no content besides an external link in oleObject.\r\nTo keep the victim from noticing anything odd the batch file downloads another Word document,\r\n1c9c88f811662007.docx with a lot of pictures in it. To make it seem more real, this document is saved in directory\r\nC:\\users\\$env:USERNAME\\Downloads, with a shorter name, 18562.docx.”\r\nThe main feature of the Rozena backdoor is to inject shellcode that launches a reverse shell to the attacker’s\r\nmachine (“microsofto.duckdns[.]org”), in this way the attacker can take full control of the system.\r\nOnce the Rozena executable is run, it will create a process for a PowerShell command, experts pointed out that the\r\ndecoded command has only one job to do, injecting the shellcode.\r\nhttps://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/\r\nPage 2 of 5\n\nSource: https://www.fortinet.com\r\nAlso Read: Threat Hunting Using Powershell and Fileless Malware Attacks\r\nIndicator of Compromise:\r\nSHA256:\r\n432bae48edf446539cae5e20623c39507ad65e21cb757fb514aba635d3ae67d6\r\n5d8537bd7e711f430dc0c28a7777c9176269c8d3ff345b9560c8b9d4daaca002\r\n3558840ffbc81839a5923ed2b675c1970cdd7c9e0036a91a0a728af14f80eff3\r\n27f3bb9ab8fc66c1ca36fa5d62ee4758f1f8ff75666264c529b0f2abbade9133\r\n69377adfdfa50928fade860e37b84c10623ef1b11164ccc6c4b013a468601d88\r\nCVE-2022-30190 is a high-severity vulnerability that lets a malicious actor deliver malware though an MS Word\r\ndocument. Microsoft already released a patch for it on June 14, 2022. In this blog we showed how an attacker\r\nexploits Follina and included details of Rozena and the SGN ShellCode. Users should apply the patch immediately\r\nand also apply FortiGuard protection to avoid the threat.” concludes the report.\r\nAlso Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST\r\nSplunk:\r\nsource=\"WinEventLog:*\" AND ((((CommandLine=\"*msdt.exe*\") AND (CommandLine=\"*PCWDiagnostic*\" OR CommandLine=\"*//\r\nQradar:\r\nSELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and\r\nElastic Query:\r\n(((process.command_line:*msdt.exe* AND process.command_line:(*PCWDiagnostic* OR *\\/\\/* OR *.\\/* OR *\\/.* OR *.\r\nhttps://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/\r\nPage 3 of 5\n\nArcsight:\r\n(((((((deviceCustomString1 CONTAINS \"*msdt.exe*\" OR destinationServiceName CONTAINS \"*msdt.exe*\")) AND ((device\r\nCarbonBlack:\r\n(((process_cmdline:*msdt.exe* AND process_cmdline:(*PCWDiagnostic* OR *\\/\\/* OR *.\\/* OR *\\/.* OR *..\\/*)) OR p\r\nCrowdstike:\r\n(((((CommandLine=\"*msdt.exe*\") OR (CommandHistory=\"*msdt.exe*\")) AND ((CommandLine=\"*PCWDiagnostic*\" OR Command\r\nFireeye:\r\n(metaclass:`windows` (((args:`msdt.exe` args:[`PCWDiagnostic`,`//`,`./`,`/.`,`../`]) OR process:`*\\word.exe`) O\r\nGraylog:\r\n(((CommandLine.keyword:*msdt.exe* AND CommandLine.keyword:(*PCWDiagnostic* *\\/\\/* *.\\/* *\\/.* *..\\/*)) OR Image\r\nMicrosoft Defender:\r\nDeviceProcessEvents | where ((((ProcessCommandLine contains \"msdt.exe\") and (ProcessCommandLine contains \"PCWDi\r\nMicrosoft Sentinel:\r\nSecurityEvent | where EventID == 4688 | where ((((CommandLine contains 'msdt.exe') and (CommandLine contains\r\nRSA Netwitness:\r\n((((CommandLine contains 'msdt\\.exe') \u0026\u0026 (CommandLine contains 'PCWDiagnostic', '//', './', '/\\.', '.\\./')) ||\r\nGoogle Chronicle:\r\n((((target.process.command_line = /.*msdt\\.exe.*/ and (target.process.command_line = /.*PCWDiagnostic.*/ or tar\r\nAws OpenSearch:\r\n(((process.command_line:*msdt.exe* AND process.command_line:(*PCWDiagnostic* OR *\\/\\/* OR *.\\/* OR *\\/.* OR *.\r\nhttps://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/\r\nPage 4 of 5\n\nSource/Credits: https://www.fortinet.com/blog/threat-research/follina-rozena-leveraging-discord-to-distribute-a-backdoor\r\nht://securityaffairs.co/wordpress/133051/hacking/follina-bug-rozena-backdoor.html\r\nSource: https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/\r\nhttps://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.socinvestigation.com/threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response/"
	],
	"report_names": [
		"threat-actors-delivers-new-rozena-backdoor-with-follina-bug-detection-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e4cae6ec40110e0d439be7973cdb88cfb60c9aa3.pdf",
		"text": "https://archive.orkl.eu/e4cae6ec40110e0d439be7973cdb88cfb60c9aa3.txt",
		"img": "https://archive.orkl.eu/e4cae6ec40110e0d439be7973cdb88cfb60c9aa3.jpg"
	}
}