QUOTEHTADropper
HTA dropper with double extension PDF lure (QUOTE-05348-2026.pdf.hta). WScript.Shell environment variable chunk payload delivery (30,000 char blocks). AES decryption key MqVI5ZYptsWhg4UT. Hidden no-taskbar single-instance HTA. PowerShell payload injection.
Threat Profile
Type
Loader
Programming LanguageJScript/HTA
C2 ProtocolHTTP/PowerShell
First Seen2026
Targets
Küresel
Purpose / Capabilities
- HTA Dropper/PowerShell Injector
No C2 servers have been identified for this family yet.
Research Reports (1)
QUOTEHTADropper 9fa0a886 -- QUOTE-05348-2026.pdf.hta Cift Uzanti PDF Lur, WScript.Shell Cevre Degiskeni Payload Parca Depolama MqVI5ZYptsWhg4UT AES Anahtari PowerShell Enjeksiyonu | Yuksek
QUOTEHTADropper 9fa0a886 HTML/HTA 403KB. QUOTE-05348-2026.pdf.hta cift uzanti PDF lur. WScript.Shell cevre degiskeni P1 P2 P3 payload chunking. MqVI5ZYptsWhg4UT AES anahtari. PowerShell enjeksiyonu.
Read Report →