{ "id": "6b4c82f4-548c-4dbc-bf88-b9d7e17fe9b8", "created_at": "2026-04-06T00:15:22.436388Z", "updated_at": "2026-04-10T03:37:00.297162Z", "deleted_at": null, "sha1_hash": "1cd737489b45861a46ab31dfb743b77f2a47322d", "title": "Operation RussianDoll: Adobe \u0026 Windows Zero-Day Exploits Likely Leveraged by Russia's APT28 in Highly-Targeted Attack | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 518431, "plain_text": "Operation RussianDoll: Adobe \u0026 Windows Zero-Day Exploits\r\nLikely Leveraged by Russia's APT28 in Highly-Targeted Attack |\r\nMandiant\r\nBy Mandiant\r\nPublished: 2015-04-18 · Archived: 2026-04-02 12:00:10 UTC\r\nFireEye Labs recently detected a limited APT campaign exploiting zero-day vulnerabilities in Adobe Flash and a\r\nbrand-new one in Microsoft Windows. Using the Dynamic Threat Intelligence Cloud (DTI), FireEye researchers\r\ndetected a pattern of attacks beginning on April 13th, 2015. Adobe independently patched the vulnerability (CVE-2015-3043) in APSB15-06. Through correlation of technical indicators and command and control infrastructure,\r\nFireEye assess that APT28 is probably responsible for this activity.\r\nMicrosoft is aware of the outstanding local privilege escalation vulnerability in Windows (CVE-2015-1701).\r\nWhile there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version\r\nwill render this in-the-wild exploit innocuous. We have only seen CVE-2015-1701 in use in conjunction with the\r\nAdobe Flash exploit for CVE-2015-3043. The Microsoft Security Team is working on a fix for CVE-2015-1701.\r\nExploit Overview\r\nThe high level flow of the exploit is as follows:\r\n1. User clicks link to attacker controlled website\r\n2. HTML/JS launcher page serves Flash exploit\r\n3. Flash exploit triggers CVE-2015-3043, executes shellcode\r\n4. Shellcode downloads and runs executable payload\r\n5. Executable payload exploits local privilege escalation (CVE-2015-1701) to steal System token\r\nThe Flash exploit is served from unobfuscated HTML/JS. The launcher page picks one of two Flash files to\r\ndeliver depending upon the target’s platform (Windows 32 versus 64bits).\r\nThe Flash exploit is mostly unobfuscated with only some light variable name mangling. The attackers relied\r\nheavily on the CVE-2014-0515 Metasploit module, which is well documented. It is ROPless, and instead\r\nconstructs a fake vtable for a FileReference object that is modified for each call to a Windows API.\r\nThe payload exploits a local privilege escalation vulnerability in the Windows kernel if it detects that it is running\r\nwith limited privileges. It uses the vulnerability to run code from userspace in the context of the kernel, which\r\nmodifies the attacker’s process token to have the same privileges as that of the System process.\r\nCVE-2015-3043 Exploit\r\nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nPage 1 of 7\n\nThe primary difference between the CVE-2014-0515 metasploit module and this exploit is, obviously, the\r\nvulnerability. CVE-2014-0515 exploits a vulnerability in Flash’s Shader processing, whereas CVE-2015-3043\r\nexploits a vulnerability in Flash’s FLV processing. The culprit FLV file is embedded within AS3 in two chunks,\r\nand is reassembled at runtime.\r\nVulnerability\r\nA buffer overflow vulnerability exists in Adobe Flash Player (\u003c=17.0.0.134) when parsing malformed FLV\r\nobjects. Attackers exploiting the vulnerability can corrupt memory and gain remote code execution.\r\nIn the exploit, the attacker embeds the FLV object directly in the ActionScript code, and plays the video using\r\nNetStream class. In memory, it looks like the following:\r\n0000000: 46 4c 56 01 05 00 00 00 09 00 00 00 00 12 00 00 FLV.............\r\n0000010: f4 00 00 00 00 00 00 00 02 00 0a 6f 6e 4d 65 74 ...........onMet\r\n0000020: 61 44 61 74 61 08 00 00 00 0b 00 08 64 75 72 61 aData.......dura\r\n0000030: 74 69 6f 6e 00 40 47 ca 3d 70 a3 d7 0a 00 05 77 tion.@G.=p.....w\r\n0000040: 69 64 74 68 00 40 74 00 00 00 00 00 00 00 06 68 idth.@t........h\r\n0000050: 65 69 67 68 74 00 40 6e 00 00 00 00 00 00 00 0d eight.@n........\r\n0000060: 76 69 64 65 6f 64 61 74 61 72 61 74 65 00 00 00 videodatarate...\r\n…..\r\n0003b20: 27 6e ee 72 87 1b 47 f7 41 a0 00 00 00 3a 1b 08 'n.r..G.A....:..\r\n0003b30: 00 04 41 00 00 0f 00 00 00 00 68 ee ee ee ee ee ..A.......h.....\r\n0003b40: ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ................\r\n0003b50: ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ................\r\n0003b60: ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ee ................\r\nFiles of the FLV file format contain a sequence of Tag structures. In Flash, these objects are created when parsing\r\nFLV Tags:\r\n.text:1018ACE9 sub_1018ACE9    proc near               ; CODE XREF: sub_1018BBAC+2Bp\r\n.text:1018ACE9                                         ; sub_10192797+1A1p ...\r\n.text:1018ACE9\r\n.text:1018ACE9 arg_0           = dword ptr  4\r\n.text:1018ACE9\r\n.text:1018ACE9                 mov     eax, ecx\r\n.text:1018ACEB                 mov     ecx, [esp+arg_0]\r\n.text:1018ACEF                 mov     dword ptr [eax], offset off_10BA771C\r\n.text:1018ACF5                 mov     dword ptr [eax+24h], 1\r\n.text:1018ACFC                 and     dword ptr [eax+14h], 0\r\n.text:1018AD00                 mov     [eax+28h], ecx\r\n.text:1018AD03                 mov     byte ptr [eax+20h], 0\r\n.text:1018AD07                 retn    4\r\nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nPage 2 of 7\n\nIn the case of this exploit, a Tag structure begins at offset 0x3b2f into the FLV stream that, when parsed, populates\r\nthe Tag structure as follows:\r\nTag 2:\r\nUINT_8 type: 8\r\nUINT_24 datasize: 1089\r\nUINT_24 timestamp: 15\r\nUINT_8 timestamphi: 0\r\nUINT_24 streamid: 0\r\nUINT_4 fmt: 6\r\nUINT_2 sr: 2\r\nUINT_1 bits: 0\r\nUINT_1 channels: 0\r\nUBYTE data[1088]: \\xee\\xee\\xee\\xee…\r\nUINT_32 lastsize: 0xeeeeeeee\r\nBeginning within the data field, all contents of the FLV stream become 0xEE. Consequently, the data and lastsize\r\nfields are mangled, and one final tag technically exists consisting exclusively of 0xEE:\r\nTag 3:\r\nUINT_8 type: 0xEE\r\nUINT_24 datasize: 0xEEEEEE\r\n…\r\nOne can see the datasize field of Tag2 populated from the attacker's FLV stream below:\r\n.text:10192943 mov eax, [ebx+24h]\r\n.text:10192946 mov [esi+14h], eax\r\n.text:10192949 movzx eax, byte ptr [ebx+19h] ; 00\r\n.text:1019294D movzx ecx, byte ptr [ebx+1Ah] ; 04\r\n.text:10192951 shl eax, 8\r\n.text:10192954 or eax, ecx\r\n.text:10192956 movzx ecx, byte ptr [ebx+1Bh] ; 41\r\n.text:1019295A shl eax, 8\r\n.text:1019295D or eax, ecx\r\n.text:1019295F mov ecx, ebx\r\n.text:10192961 mov [esi+0Ch], eax ; 0x441\r\n.text:10192964 call sub_1002E2B3\r\nThe buffer is allocated with fixed size 0x2000:\r\n.text:101A647E push 2000h\r\n.text:101A6483 mov ecx, esi\r\n.text:101A6485 call sub_101A6257 ; alloc 0x2000 buffer, store in esi+0xDC\r\n……\r\nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nPage 3 of 7\n\n.text:101A627F push 0\r\n.text:101A6281 push edi ; 0x2000\r\n.text:101A6282 call sub_105EBEB0\r\n.text:101A6287 pop ecx\r\n.text:101A6288 pop ecx\r\n.text:101A6289 mov [esi+0DCh], eax\r\nSince the size is controlled by the attacker, it’s possible to overflow the fixed size buffer with certain data.\r\nA datasize of 0x441 results in a value here of 0x1100 passed to sub_100F88F8, which memcopies 0x2200 bytes in\r\n0x11 chunks of 0x200. The last memcpy overflows the fixed size 0x2000 buffer into a adjacent heap memory.\r\nAttackers spray the heap with array of Vector, 0x7fe * 4 + 8 == 0x2000, and create holes of such size, which will\r\nbe allocated by the said object.\r\nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nPage 4 of 7\n\nwhile (_local_2 \u003c this._bp35) // _bp35 == 0x2000\r\n {\r\n this._ok47[_local_2] = new Vector.\u003cuint\u003e(this._lb60); // _lb60 == 0x07FE\r\n _local_3 = 0x00;\r\n while (_local_3 \u003c this._lb60)\r\n {\r\n this._ok47[_local_2][_local_3] = 0x41414141;\r\n _local_3++;\r\n };\r\n _local_2 = (_local_2 + 0x01);\r\n };\r\n _local_2 = 0x00;\r\n while (_local_2 \u003c this._bp35)\r\n {\r\n this._ok47[_local_2] = null;\r\n _local_2 = (_local_2 + 0x02);\r\n };\r\nAs the previous picture demonstrated, the followed Vector object’s length field being overflowed as 0x80007fff,\r\nwhich enables the attacker to read/write arbitrary data within user space.\r\nShellcode\r\nShellcode is passed to the exploit from HTML in flashvars. The shellcode downloads the next stage payload,\r\nwhich is an executable passed in plaintext, to the temp directory with UrlDownloadToFileA, which it then runs\r\nwith WinExec.\r\nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nPage 5 of 7\n\nPayload \u0026 C2\r\nThis exploit delivers a malware variant that shares characteristics with the APT28 backdoors CHOPSTICK and\r\nCORESHELL malware families, both described in our APT28 whitepaper. The malware uses an RC4 encryption\r\nkey that was previously used by the CHOPSTICK backdoor. And the C2 messages include a checksum algorithm\r\nthat resembles those used in CHOPSTICK backdoor communications. In addition, the network beacon traffic for\r\nthe new malware resembles those used by the CORESHELL backdoor. Like CORESHELL, one of the beacons\r\nincludes a process listing from the victim host. And like CORESHELL, the new malware attempts to download a\r\nsecond-stage executable.\r\nOne of the C2 locations for the new payload, 87.236.215[.]246, also hosts a suspected APT28 domain ssl-icloud[.]com. The same subnet (87.236.215.0/24) also hosts several known or suspected APT28 domains, as seen\r\nin Table 1.\r\nThe target firm is an international government entity in an industry vertical that aligns with known APT28\r\ntargeting.\r\nCVE-2015-1701 Exploit\r\nThe payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in\r\nMicrosoft Windows. The exploit uses CVE-2015-1701 to execute a callback in userspace. The callback gets the\r\nEPROCESS structures of the current process and the System process, and copies data from the System token into\r\nthe token of the current process. Upon completion, the payload continues execution in usermode with the\r\nprivileges of the System process.\r\nBecause CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system. If an\r\nattacker wanted to exploit CVE-2015-1701, they would first have to be executing code on the victim’s machine.\r\nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nPage 6 of 7\n\nBarring authorized access to the victim’s machine, the attacker would have to find some other means, such as\r\ncrafting a new Flash exploit, to deliver a CVE-2015-1701 payload.\r\nMicrosoft is aware of CVE-2015-1701 and is working on a fix. CVE-2015-1701 does not affect Windows 8 and\r\nlater.\r\nAcknowledgements\r\nThank you to all of the contributors to this blog!\r\nThe following people in FireEye: Dan Caselden, Yasir Khalid, James “Tom” Bennett, GenWei Jiang,\r\nCorbin Souffrant, Joshua Homan, Jonathan Wrolstad, Chris Phillips, Darien Kindlund\r\nMicrosoft \u0026 Adobe security teams\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nhttps://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html" ], "report_names": [ "probable_apt28_useo.html" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775792220, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1cd737489b45861a46ab31dfb743b77f2a47322d.pdf", "text": "https://archive.orkl.eu/1cd737489b45861a46ab31dfb743b77f2a47322d.txt", "img": "https://archive.orkl.eu/1cd737489b45861a46ab31dfb743b77f2a47322d.jpg" } }