article featured image


It seems that a newly found Iranian threat actor is stealing Google and Instagram credentials from Farsi-speaking targets all around the world employing a new PowerShell-based stealer named PowerShortShell.

The data stealer is also used for Telegram monitoring and gathering system information from infected machines, which is then delivered to attacker-controlled servers along with the stolen credentials.

They target Windows users with malicious Word attachments that take advantage of a Microsoft MSHTML remote code execution (RCE) issue identified as CVE-2021-40444. A DLL obtained on infected computers executes the PowerShortShell stealer payload.

When executed, the PowerShell script begins to gather data and screenshots, that will be later sent to the attacker’s command-and-control server.

Almost half of the victims are located in the United States. Based on the Microsoft Word document content – which blames Iran’s leader for the “Corona massacre” and the nature of the collected data, we assume that the victims might be Iranians who live abroad and might be seen as a threat to Iran’s Islamic regime. The adversary might be tied to Iran’s Islamic regime since the Telegram surveillance usage is typical of Iran’s threat actors like Infy, Ferocious Kitten, and Rampant Kitten. Surprisingly, the usage of exploits for the infection is quite unique to Iranian threat actors which in most cases heavily rely on social engineering tricks.


As BleepingComputer reported, the CVE-2021-40444 RCE flaw affecting Internet Explorer’s MSTHML rendering engine was exploited in the wild as a zero-day since August, with more than two weeks before Microsoft issued a security advisory with a partial fix and three weeks before a patch was available.

Microsoft also said that several threat actors, including ransomware associates, used maliciously engineered Office documents supplied via phishing campaigns to target this Windows MSHTML RCE problem.

The CVE-2021-40444 bug was exploited in these assaults “as part of an initial access campaign that delivered modified Cobalt Strike Beacon loaders.”

The beacons deployed interacted with malicious equipment associated with a variety of cybercrime schemes, including but not limited to human-operated ransomware.

It comes as no surprise that the CVE-2021-40444 vulnerabilities are being used by an increasing number of attackers, given that threat actors began posting tutorials and proof-of-concept exploits on hacking forums even before the problem was fixed.

The information given online is straightforward, making it quite easy for anybody to develop their own functioning version of a CVE-2021-40444 attack.

If you liked this article follow us on LinkedInTwitterYouTubeFacebook, and Instagram to keep up to date with everything cybersecurity.

Author Profile

Dora Tudor

Cyber Security Enthusiast

linkedin icon

Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Protect your business by doing more with less

Book a Demo