Hackers abuse DOCX, RTF, JavaScript, and Python in Boeing-themed RFQ malware campaign
4 min. read 
Published on
A new phishing campaign is using fake Boeing request-for-quotation emails to infect procurement and sales targets with a multi-stage malware chain that ends in in-memory Cobalt Strike. Reporting on the campaign says the operation uses Word documents, embedded RTF content, JavaScript, PowerShell, and a full Python runtime to stay stealthy and make detection harder.
The campaign is tracked as NKFZ5966PURCHASE and uses lures tied to “Joyce Malave from BOEING” or “Global Services, LLC.” Researchers cited in the reporting said the malicious files first appeared on March 30, 2026, and that several related samples quickly surfaced in MalwareBazaar over the following days.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
What makes this campaign stand out is its layered delivery chain. Instead of dropping an obvious EXE early, the attackers hide the payload across document formats and trusted tools, then load the final beacon directly into memory. Microsoft says AMSI exists to help antimalware products inspect scripts and other dynamic content, which helps explain why attackers often try to bypass it in modern fileless or semi-fileless chains.
How the Boeing RFQ lure works
The phishing emails pose as procurement outreach and ask targets to quote pricing for bulk orders. Known lure filenames include “Rfq and Payment Schedule.docx,” “Product_specifications.docx,” and “RFQ_PO_ATR29026II.docx,” with researchers saying the files share the same structure and metadata.
Once opened, the DOCX abuses Word’s alternative-format import mechanism to pull in hidden RTF content. Microsoft’s Open XML documentation shows that Word supports the aFChunk relationship type for alternative format import parts, while Microsoft’s OpenXML class reference documents the related w:altChunk object used to insert external content.
That RTF then carries the next stage, which researchers described as a hidden JavaScript dropper. The script launches PowerShell quietly through WMI, downloads a ZIP payload from Filemail, unpacks a Python 3.12 runtime, and uses Python to decrypt and reflectively load the final DLL payload in memory.
Why the chain is hard to catch
This campaign leans on normal Windows and enterprise tools instead of a single noisy malware file. Researchers said the JavaScript stage uses obfuscation, the PowerShell stage disables certificate checks and attempts to bypass AMSI, and the final DLL never lands on disk in decrypted form.
The use of Filemail also complicates filtering. Filemail is a legitimate file-sharing provider with an active trust center and published security materials, which makes its domain less suspicious than a throwaway malware host. That does not make Filemail malicious, but it shows why reputable cloud services remain attractive for payload delivery.
The Boeing branding adds another layer of credibility. Boeing already warns the public about impersonation and fraud in other contexts, which fits the broader pattern of attackers borrowing trusted corporate names to pressure targets into opening files or replying quickly.
What researchers observed
| Item | Reported detail |
|---|---|
| Campaign tag | NKFZ5966PURCHASE |
| Social-engineering theme | Boeing RFQ / procurement email |
| Initial file types | DOCX with hidden RTF content |
| Script stage | Obfuscated JavaScript launching PowerShell via WMI |
| Payload hosting | Filemail URLs used for ZIP delivery |
| Later-stage runtime | Python 3.12 used to decrypt the final payload |
| Final malware behavior | Reflective in-memory DLL loading tied to Cobalt Strike |
| Persistence clue | HKCU\...\Run value named RtkAudUService |
What defenders should do now
- Block or inspect unexpected procurement-themed attachments, especially DOCX files tied to RFQ language.
- Flag Office documents that use
aFChunkoraltChunkimports from embedded alternative content. - Monitor for WMI-launched PowerShell and PowerShell that tampers with certificate validation or AMSI-related behavior.
- Review outbound access to cloud file-sharing services when the request starts from Office or scripting engines.
- Hunt for suspicious Run keys such as
RtkAudUServiceon user systems. - Teach procurement and supplier teams to verify RFQs through known contacts and official portals before opening attachments. Boeing says fraud schemes often use fake emails and false websites that appear to come from the company.
FAQ
It is a phishing operation that impersonates Boeing procurement and uses malicious Word documents to launch a six-stage chain ending in in-memory Cobalt Strike. Researchers cited in public reporting track it as NKFZ5966PURCHASE.
The attackers appear to spread the logic across DOCX, RTF, JavaScript, PowerShell, and Python to reduce visibility and avoid simple signature-based detection. Each layer does a small part of the job before the final payload loads in memory.
There is no evidence in the reporting that Filemail itself was compromised. The campaign appears to abuse Filemail as a delivery channel because it is a legitimate service that many defenses treat as lower risk.
Microsoft says AMSI helps applications and services integrate with antimalware products so scripts and dynamic content can be scanned before execution. Attackers try to weaken or bypass that protection because it increases the chance that malicious script stages will run without being blocked.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages