Cyber Incident Victim: Embassy of Bangladesh in Egypt

The website for the Embassy of Bangladesh in Cairo was compromised in October 2018, as detected by Trustwave’s Cloud SWG product, which identified the presence of a coinminer on the site. The initial compromise evolved by January 2019, when the site began automatically forcing visitors to download a malicious Word document titled *Conference_Details.docx* upon accessing any HTML page. Trustwave researchers analyzed the document and confirmed it exploited the Encapsulated PostScript (EPS) vulnerability CVE-2017-0261, a remote code execution flaw affecting affected systems. Successful exploitation enabled attackers to install malware into the *C:\ProgramData\Microsoft\Windows\DRM* directory, specifically a file named *MSBuld.exe*. VirusTotal initially flagged this file as a password-stealing Trojan, but Trustwave attributed it to Godzilla Loader, a malware downloader. Once executed, Godzilla Loader established connections to a command-and-control (C2) server to retrieve additional malicious payloads.

The compromise persisted unresolved, as Trustwave reported no response from the domain owners despite outreach attempts. The embassy’s website remained infected at the time of Trustwave’s public disclosure in February 2019. The incident exposed visitors to drive-by download attacks, risking unauthorized remote access, credential theft, and secondary malware infections. The attackers leveraged a known vulnerability in Microsoft Office to deploy persistent malware, indicating a deliberate targeting of embassy website visitors. No remediation efforts by the embassy or third parties were documented in the available source material. The prolonged compromise underscored operational security gaps, as the site continued distributing malicious payloads for months without intervention.