Nahash - New Backdoor Targets French Entities with Unique Attack Chain
Proofpoint observed new, targeted activity impacting French entities in the construction and government sectors.
The threat actor used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an open-source package installer.
Various parts of the VBA macro include ASCII art and depict a snake (Nahash).
The threat actor attempted to install a backdoor on a potential victim's device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads.
Proofpoint refers to this backdoor as Serpent (Nahash).
The ultimate objective of the threat actor is currently unknown.
Featured Resources
View More Resources
Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now
After years of battling ransomware and financially motivated threats, security teams must now increase their focus to defend against digital destruction. Iranian-backed Handala Hack highlighted the growing threat with its claimed attacks against a U.S.-based medical equipment maker, with reports of widespread deletion of data
CVE-2026-26117: Hijacking Azure Arc on Windows for Local Privilege Escalation & Cloud Identity Takeover
CVE-2026-26117 lets attackers hijack Azure Arc on Windows, escalate to SYSTEM, and seize the machine’s cloud identity.
Exposure Validation Demo
Demo of automated offensive simulations validating detection, prevention, and IOC coverage