Nahash - New Backdoor Targets French Entities with Unique Attack Chain
Proofpoint observed new, targeted activity impacting French entities in the construction and government sectors.
The threat actor used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an open-source package installer.
Various parts of the VBA macro include ASCII art and depict a snake (Nahash).
The threat actor attempted to install a backdoor on a potential victim's device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads.
Proofpoint refers to this backdoor as Serpent (Nahash).
The ultimate objective of the threat actor is currently unknown.
Featured Resources
View More Resources
CVE-2026-32196: One-Click RCE via Windows Admin Center Control Flow Hijacking
Ilan Kalendarov, Security Research Team LeadBen Zamir, Security ResearcherElad Beber, Security ResearcherRuben Enkaoua, Security Researcher Cymulate Research Labs identified a set of
Cymulate Stories: A Fireside Chat with Morgan Street Holdings
Many organizations still manage cyber risk using reactive security practices that struggle to keep pace with today’s threat landscape. As
The Race to Ship AI Tools Left Security Behind. Part 1: Sandbox Escape
AI tools shipped fast - but weak sandboxing left escape paths, exposing systems to data access, abuse, and full compromise.