QUOTEHTADropper

HTA dropper with double extension PDF lure (QUOTE-05348-2026.pdf.hta). WScript.Shell environment variable chunk payload delivery (30,000 char blocks). AES decryption key MqVI5ZYptsWhg4UT. Hidden no-taskbar single-instance HTA. PowerShell payload injection.

Threat Profile
Type Loader
Programming LanguageJScript/HTA
C2 ProtocolHTTP/PowerShell
First Seen2026
Targets Küresel
Purpose / Capabilities
  • HTA Dropper/PowerShell Injector
No C2 servers have been identified for this family yet.

Research Reports (1)

High

QUOTEHTADropper 9fa0a886 -- QUOTE-05348-2026.pdf.hta Cift Uzanti PDF Lur, WScript.Shell Cevre Degiskeni Payload Parca Depolama MqVI5ZYptsWhg4UT AES Anahtari PowerShell Enjeksiyonu | Yuksek

QUOTEHTADropper 9fa0a886 HTML/HTA 403KB. QUOTE-05348-2026.pdf.hta cift uzanti PDF lur. WScript.Shell cevre degiskeni P1 P2 P3 payload chunking. MqVI5ZYptsWhg4UT AES anahtari. PowerShell enjeksiyonu.

Read Report →