{ "id": "10b8e2ce-cfb9-44f1-b75f-0990fde8dc3e", "created_at": "2026-04-06T00:07:41.679663Z", "updated_at": "2026-04-10T03:38:06.565347Z", "deleted_at": null, "sha1_hash": "255cf416299eb3982ab6bc827d23b217cf89fc75", "title": "AhnLab and NCSC Release Joint Report on Microsoft Zero-Day Browser Vulnerability (CVE-2024-38178)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5176528, "plain_text": "AhnLab and NCSC Release Joint Report on Microsoft Zero-Day\r\nBrowser Vulnerability (CVE-2024-38178)\r\nBy ATCP\r\nPublished: 2024-10-15 · Archived: 2026-04-05 23:45:09 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) and the National Cyber Security Center (NCSC) have discovered a\r\nnew zero-day vulnerability in the Microsoft Internet Explorer (IE) browser and have conducted a detailed analysis\r\non attacks that exploit this vulnerability. This post shares the joint analysis report “Operation Code on Toast by\r\nTA-RedAnt” which details the findings of the ASEC and NCSC joint analysis and the responses to the threat.\r\nhttps://asec.ahnlab.com/en/83877/\r\nPage 1 of 4\n\nThe North Korean threat actor TA-RedAnt (also known as RedEyes, ScarCruft, Group123, APT37, etc.) is behind\r\nthis operation. They have previously targeted specific individuals such as North Korean defectors and experts in\r\nNorth Korean affairs using hacking emails, Android app package file (.apk), and IE vulnerabilities.\r\nThis operation exploited a zero-day vulnerability in IE to utilize a specific toast ad program that is installed\r\nalongside various free software.                                                                                                  \r\nhttps://asec.ahnlab.com/en/83877/\r\nPage 2 of 4\n\n※ Toast: A type of popup notification that appears at the bottom (usually right bottom) of the desktop screen.\r\nMany toast ad programs use a feature called WebView to render web content for displaying ads. However,\r\nWebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the\r\ncode, IE vulnerabilities could also be exploited in the program. As a result, TA-RedAnt exploited the toast ad\r\nprogram that were using the vulnerable IE browser engine (jscript9.dll), which is no longer supported, as an initial\r\naccess vector. Microsoft ended its support for IE in June 2022. However, attacks that target some Windows\r\napplications that still use IE are continuously being discovered, so organizations and users need to be extra\r\ncautious and update their systems with the latest security patches.\r\nTA-RedAnt first attacked the Korean online advertising agency server for ad programs to download ad content.\r\nThey then injected vulnerability code into the server’s ad content script. This vulnerability is exploited when the\r\nad program downloads and renders the ad content. As a result, a zero-click attack occurred without any interaction\r\nfrom the user.\r\nThis vulnerability occurs when one type of data is mistakenly treated as another during the optimization process of\r\nIE’s JavaScript engine (jscript9.dll), allowing type confusion to occur. TA-RedAnt exploited this vulnerability to\r\ntrick victims into downloading malware on their desktops with the toast ad program installed. After infecting the\r\nsystem, various malicious behaviors can be performed, such as remote commands.\r\nAhnLab and the NCSC immediately reported the vulnerability to Microsoft. On August 13 (local time in the U.S.),\r\nMicrosoft issued CVE-2024-38178 (CVSS 7.5) and released the patch to address this vulnerability.\r\n(https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38178 ).\r\nPlease refer to the attached report for more details.\r\nFull Report(English) : Operation Code on Toast(full).pdf\r\nSummary Report(English) : Operation Code on Toast(summary).pdf\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/83877/\r\nPage 3 of 4\n\nSource: https://asec.ahnlab.com/en/83877/\r\nhttps://asec.ahnlab.com/en/83877/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/83877/" ], "report_names": [ "83877" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434061, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/255cf416299eb3982ab6bc827d23b217cf89fc75.pdf", "text": "https://archive.orkl.eu/255cf416299eb3982ab6bc827d23b217cf89fc75.txt", "img": "https://archive.orkl.eu/255cf416299eb3982ab6bc827d23b217cf89fc75.jpg" } }