EXECUTIVE SUMMARY
ScarCruft (APT37) is actively conducting a targeted malware campaign that uses spear-phishing emails with OLE-enabled Microsoft Office documents to deliver malware. The campaign abuses trusted cloud services such as Google Drive, OneDrive, and Dropbox to download malicious payloads, helping the activity blend in with legitimate traffic and evade detection. Successful compromise enables remote access, data exfiltration, and long-term persistence on Windows systems, posing a high risk to government, research, media, and other high-value sectors.
- Active Region: Asia-Pacific (Primary), Global Potential
- Affected Sector: Government, Defense, Media, Research, NGOs
- Affected Product: Windows Endpoints
- Severity: High
- Published Date: February 09, 2026
TECHNICAL DETAILS
- Initial Access: ScarCruft uses targeted spear-phishing emails containing Microsoft Office documents with embedded OLE objects.
- Execution Mechanism: The malicious documents abuse OLE functionality to execute code without relying on VBA macros. Embedded OLE objects trigger living-off-the-land binaries (LOLBins) such as cmd.exe, powershell.exe, and mshta.exe to download and execute payloads.
- Malware Capabilities: The deployed malware enables remote command execution,……
