MerkSpy: Exploiting CVE-2021-40444 to Infiltrate Systems

FortiGuard Labs reports a high-severity campaign exploiting CVE-2021-40444 via a malicious Word document that downloads an HTML payload (olerender.html) containing XOR-encoded shellcode. The shellcode decodes and runs a downloader that retrieves a VMProtect-protected payload named "GoogleUpdate," which injects the MerkSpy spyware into system processes, establishes persistence via a Run registry entry, and exfiltrates keystrokes, screenshots, Chrome credentials and MetaMask data to 45.89.53.46; the report includes IOCs and Fortinet detection names.