Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

SimpleLoader

SimpleLoader is a first-stage DLL loader used in APT28/Fancy Bear/UAC-0001 espionage campaigns, including activity described as Operation Neusploit. It was delivered after exploitation of Microsoft Office vulnerability CVE-2026-21509 via malicious DOC/RTF spear-phishing documents that used embedded OLE objects and WebDAV to retrieve external payloads, including a malicious LNK shortcut and the SimpleLoader DLL. Reported targeting included European military, government, maritime, transport, diplomatic, and especially Ukrainian and other Eastern European organizations.

SimpleLoader is described as using three XOR-based schemes: single-byte XOR 0x43 for mutex generation, alternating-byte XOR with null padding for path obfuscation, and a 76-character rotating XOR key for embedded payload decryption. It established persistence via COM hijacking of CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32 and created a temporary scheduled task named OneDriveHealth to restart explorer.exe and trigger the hijacked COM object. The mutex adjgfenkbe is associated with SimpleLoader.

In the observed infection chain, SimpleLoader wrote EhStoreShell.dll to C:\ProgramData\USOPublic\Data\User\EhStoreShell.dll and dropped an encrypted PNG payload at C:\ProgramData\Microsoft OneDrive\setup\Cache\SplashScreen.png. EhStoreShell.dll acted as a steganography loader, validated execution conditions including explorer.exe and anti-analysis timing checks, decoded shellcode hidden in the PNG, and launched an in-memory .NET CovenantGrunt implant. In another reported branch, SimpleLoader was responsible for dropping either NotDoor or a COVENANT Grunt beacon that contacted filen.io to deliver the BeardShell backdoor. Associated post-compromise behavior included use of filen.io for C2 over HTTPS, reconnaissance with arp.exe, systeminfo.exe, and tracert.exe, and process injection into svchost.exe.

Known indicators directly associated with this malware chain include SHA-256 0bb0d54033767f081cae775e3cf9ede7ae6bea75f35fbfb748ccba9325e28e5e for SimpleLoader, SHA-256 a876f648991711e44a8dcf888a271880c6c930e5138f284cd6ca6128eca56ba1 for EhStoreShell.dll, the COM hijack registry path HKCU\Software\Classes\CLSID{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}\InProcServer32, and the scheduled task OneDriveHealth.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2026-21509Microsoft Office Shell.Explorer.1 OLE Security Feature BypassExploited in the wild

Patching CVE-2026–21509 is necessary, but not sufficient. Malicious .doc → CVE- 2026 - 21509 exploit → LNK shortcut + SimpleLoader DLL → EhStoreShell .dll (steganography loader) → SplashScreen .png (shellcode hidden in PNG image) → CovenantGrunt (in-memory .NET backdoor) → filen .io (C2 communication) | Malicious .doc → CVE- 2026 - 21509 exploit → LNK shortcut + SimpleLoader DLL → EhStoreShell .dll (steganography loader) → SplashScreen .png (shellcode hidden in PNG image) → CovenantGrunt (in-memory .NET backdoor) → filen .io (C2 communication)

via osint team blogosintteam.blog
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT28

Malicious .doc → CVE- 2026 - 21509 exploit → LNK shortcut + SimpleLoader DLL → EhStoreShell .dll (steganography loader) → SplashScreen .png (shellcode hidden in PNG image) → CovenantGrunt (in-memory .NET backdoor) → filen .io (C2 communication)

via osint team blogosintteam.blog
MITRE ATT&CK

Techniques & procedures

18 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques
T1189Drive-by CompromiseEvidence1

The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure.

T1566PhishingEvidence1

In these attacks, phishing emails with geopolitically-charged narratives related to transnational weapons smuggling, military training programs, and meteorological emergency bulletins contain weaponized documents that exploit CVE-2026-21509...

T1566.001Spearphishing AttachmentEvidence3

APT28's attack begins with spear-phishing emails containing weaponized documents that exploit CVE-2026-21509... All emails carried weaponized RTF/DOC attachments.

Execution

5 techniques
T1053Scheduled Task/JobEvidence1

Scheduled Task: OneDriveHealth (temporary)

T1053.005Scheduled TaskEvidence1

The loader creates a scheduled task named "OneDriveHealth" that triggers 60 seconds post-registration.

T1059.003Windows Command ShellEvidence1

cmd.exe /c (taskkill /f /IM explorer.exe >nul 2>&1) & (start explorer >nul 2>&1)

T1203Exploitation for Client ExecutionEvidence4

Malicious .doc → CVE- 2026 - 21509 exploit → LNK shortcut + SimpleLoader DLL

T1204.002Malicious FileEvidence3

When victims open these malicious documents, the exploit triggers automatically without requiring macros or user interaction.

Persistence

4 techniques
T1053Scheduled Task/JobEvidence1

Scheduled Task: OneDriveHealth (temporary)

T1053.005Scheduled TaskEvidence1

The loader creates a scheduled task named "OneDriveHealth" that triggers 60 seconds post-registration.

T1546.015Component Object Model HijackingEvidence1

Persistence is achieved through COM object hijacking targeting CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}.

T1547.009Shortcut ModificationEvidence3

Malicious .doc → CVE- 2026 - 21509 exploit → LNK shortcut + SimpleLoader DLL → EhStoreShell .dll

Privilege Escalation

4 techniques
T1053Scheduled Task/JobEvidence1

Scheduled Task: OneDriveHealth (temporary)

T1053.005Scheduled TaskEvidence1

The loader creates a scheduled task named "OneDriveHealth" that triggers 60 seconds post-registration.

T1546.015Component Object Model HijackingEvidence1

Persistence is achieved through COM object hijacking targeting CLSID {D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D}.

T1547.009Shortcut ModificationEvidence3

Malicious .doc → CVE- 2026 - 21509 exploit → LNK shortcut + SimpleLoader DLL → EhStoreShell .dll

Stealth

6 techniques
T1027Obfuscated Files or InformationEvidence2

The infection chain deploys SimpleLoader which utilizes three distinct XOR encryption schemes... and an encrypted-payload PNG file mimicking legitimate OneDrive installation artifacts.

T1027.003SteganographyEvidence1

The loader either extracts an encrypted PNG image file containing shellcode... BeardShell... processes the dropped image file, SplashScreen[dot]png, using a custom PNG parser to extract concealed .NET loader shellcode hidden within the image data.

T1070.004File DeletionEvidence1

The loader creates a scheduled task named "OneDriveHealth"... and self-deletes the scheduled task.

T1140Deobfuscate/Decode Files or InformationEvidence1

The loader decrypts embedded strings using single-byte XOR (key 0x43)... ultimately extracting a .NET loader shellcode concealed within the image's data chunks.

T1218.011Rundll32Evidence1

Process Indicators rundll32.exe tables(1).dll

T1620Reflective Code LoadingEvidence1

The loader either extracts an encrypted PNG image file containing shellcode, which it decrypts and executes BeardShell in memory... The campaign’s modular infection chain – from initial phish to in-memory backdoor to secondary implants...

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence1

CERT-UA said. "During the investigation, it was found that opening the document using Microsoft Office leads to establishing a network connection to an external resource using the WebDAV protocol..."

T1105Ingress Tool TransferEvidence2

The vulnerability allows embedded OLE objects to execute by leveraging the WebDAV protocol to fetch external payloads from attacker-controlled infrastructure... the initial exploitation downloads a malicious LNK shortcut and first-stage loader DLL...

INDICATORS OF COMPROMISE

IOCs tracked for this family

49 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
9 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
24 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
16 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app3 days ago
domain●●●●●●●●●●●●View more in app3 days ago
domain●●●●●●●●●●●●View more in app3 days ago
domain●●●●●●●●●●●●View more in app3 days ago
hash.sha256●●●●●●●●●●●●View more in app3 days ago
hash.sha256●●●●●●●●●●●●View more in app3 days ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
osint team blogNews
Jun 20, 2026
The Russian Spy Group That Hid Inside Your Cloud Storage in 2026 | by Pop123 | Jun, 2026 | OSINT Team

A DLL-based loader delivered after exploitation of CVE-2026-21509 via a malicious document and LNK shortcut, used to launch the next-stage payload EhStoreShell.

Read more
trellix blogNews
May 19, 2026
APT28’s Stealthy Multi-Stage Campaign Leveraging CVE‑2026‑21509 and Cloud C2 Infrastructure

A first-stage loader delivered via malicious LNK after exploitation of CVE-2026-21509. It establishes persistence, drops EhStoreShell.dll and an encrypted PNG payload, and can also deploy the NotDoor Outlook payload.

Read more
industrialcyberNews
Feb 6, 2026
Trellix details Russian state-linked APT28 targets European maritime, transport agencies with new Office exploit - Industrial Cyber

A first-stage loader in the APT28 infection chain that establishes execution, decrypts embedded payloads, writes files to disk, and facilitates delivery of BeardShell or NotDoor.

Read more
the hacker newsNews
Feb 3, 2026
APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks

A DLL loader in the attack chain that drops either NotDoor or the COVENANT Grunt Beacon, enabling subsequent delivery of the BEARDSHELL backdoor.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching49

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping18

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.