October 4, 2023

Researchers have spotted a espionage campaign from a novel threat actor called NewsPenguin against Pakistan’s military-industrial complex for months, using an advanced malware tool.

PIMEC (Pakistan International Maritime Expo) a Pakistan navy initiative that will provide opportunities to maritime industry both in public and private sectors to display products and develop business relationships. The event will also highlight Pakistan’s Maritime potential and provide the desired fillip for economic growth at national level.

NewsPenguin attracts its victims using spear-phishing emails with an attached Word document, purporting to be an “Exhibitor Manual” for the PIMEC conference. The file name was quite a red flag “Important Document.doc” referring directly to the event.


The document first opens in a protected view. The victim must then click “enable content” to read the document, which triggers a remote template injection attack. The attack involves a remote template injection attack that avoids easy detection by planting malware not in a document but in its associated template. This will bypass email protection systems and EDR solutions.  

The macros lie outside of the victim’s infrastructure. That way, the traditional products built to protect the endpoint and internal systems won’t be effective. The payload is an executable with no differentiating name, referred to as updates.exe.

The NewsPenguin malware also performs a series of actions to check whether it’s deploying in a virtual machine or sandbox for escaping from getting caught.

The domains associated with the campaign were registered all the way back in June and October of last year, despite PIMEC is scheduled to happen. The researchers couldn’t connect NewsPenguin to any known threat actors. That said, the group has already been working for some time now.


This research was documented by researchers from Blackberry.

Indicators of Compromise

  • 51.222.103[.]8
  • 185.198.59[.]109
  • Windows.20H2.85685475
  • C:\Users\admin\source\repos\BeetleVx\libcurl\processhollow\libcurl\Release\libcurl.pdb
  • 80326b1e151e8348307114c8115e275c2fd63f0d2eb1dfacb6eca9840cf98525
  • 26b113ba29b037034ee34a7f0fea81f6d5452950e0d26058d9b96946d78570c5
  • facb0bfb3123540415b28881bcf951b29ccdd3abace54747d76f19017e80e8d9
  • b4e22ffcaa349618342a933c2cc72896e8273c2095a1f232d7e34b119f485595
  • 3F9FAC91288139F81D4949CD5DADDC131AA3443D2A8631093D971B2EBDE6AE77
  • 55F43319B910037D5B2EB8A5E57A14FCA88E22BB0F40E453E510CC375A42BF43
  • EA732F213FCFC27E386471C290A342B7905FF8030888979D8220403A94D2CDCD
  • 4C003C63F1A7C6D2EAEEB18D37B3EE824C82E1C0C44458A9510EF28C265962C6
  • 538BB2540AAD0DCB512C6F0023607382456F9037D869B4BF00BCBDB18856B338
  • hXXp[:]//windowsupdates[.]shop/test[.]dotx
  • updates.win32[.]live       

Leave a Reply

%d bloggers like this: