{ "id": "909f20ff-7b4c-4268-affa-e3341f996963", "created_at": "2026-04-06T00:10:49.100215Z", "updated_at": "2026-04-10T03:37:26.268002Z", "deleted_at": null, "sha1_hash": "26a25894944ffb493f34c8141286305665b91dcb", "title": "Operation Clandestine Wolf — Adobe Flash Zero-Day in APT3 Phishing Campaign | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53984, "plain_text": "Operation Clandestine Wolf — Adobe Flash Zero-Day in APT3\r\nPhishing Campaign | Mandiant\r\nBy Mandiant\r\nPublished: 2015-06-23 · Archived: 2026-04-02 12:42:09 UTC\r\nWritten by: Erica Eng, Dan Caselden\r\nIn June, FireEye’s FireEye as a Service team in Singapore uncovered a phishing campaign exploiting an Adobe\r\nFlash Player zero-day vulnerability (CVE-2015-3113). The attackers’ emails included links to compromised web\r\nservers that served either benign content or a malicious Adobe Flash Player file that exploits CVE-2015-3113.\r\nAdobe has already released a patch for CVE-2015-3113 with an out-of-band security bulletin\r\n(https://helpx.adobe.com/security/products/flash-player/apsb15-14.html). FireEye recommends that Adobe Flash\r\nPlayer users update to the latest version as soon as possible.\r\nFireEye MVX detects this threat as a web infection, the IPS engine reports the attack as CVE-2015-3113, and the\r\nSHOTPUT backdoor is reported as Backdoor.APT.CookieCutter.\r\nAPT3\r\nThe China-based threat group FireEye tracks as APT3, aka UPS, is responsible for this exploit and the activity\r\nidentified in our previous blog post, Operation Clandestine Fox. This group is one of the more sophisticated threat\r\ngroups that FireEye Threat Intelligence tracks, and they have a history of introducing new browser-based zero-day\r\nexploits (e.g., Internet Explorer, Firefox, and Adobe Flash Player). After successfully exploiting a target host, this\r\ngroup will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3’s\r\ncommand and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns.\r\nActivity Overview\r\nIn the last several weeks, APT3 actors launched a large-scale phishing campaign against organizations in the\r\nfollowing industries:\r\nAerospace and Defense\r\nConstruction and Engineering\r\nHigh Tech\r\nTelecommunications\r\nTransportation\r\nUpon clicking the URLs provided in the phishing emails, targets were redirected to a compromised server hosting\r\nJavaScript profiling scripts. Once a target host was profiled, victims downloaded a malicious Adobe Flash Player\r\nhttps://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html\r\nPage 1 of 6\n\nSWF file and an FLV file, detailed below. This ultimately resulted in a custom backdoor known as SHOTPUT,\r\ndetected by FireEye as Backdoor.APT.CookieCutter, being delivered to the victim’s system.\r\nThe payload is obscured using xor encoding and appended to a valid GIF file.\r\nAttack Vector\r\nThe phishing emails used by APT3 during this campaign were extremely generic in nature, almost appearing to be\r\nspam. An example email body:\r\nSave between $200-450 by purchasing an Apple Certified Refurbished iMac through this link. Refurbished iMacs\r\ncome with the same 1-year extendable warranty as new iMacs. Supplies are limited, but update frequently.\r\nThe string “\u003eGo to Sale” was a link that used the following URL structure:\r\nhxxp://\u003csubdomain\u003e.\u003clegitdomain\u003e.\u003cTLD\u003e/\u003cdirectory\u003e/\u003calphanumericID\u003e.html\r\nExploit Details\r\nThe attack exploits an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files. The\r\nexploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and\r\nuses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP\r\ntechnique makes it simpler to exploit and will evade some ROP detection techniques.\r\nShellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The\r\npayload is xor encoded and hidden inside an image.\r\nExploit Packaging\r\nThe Adobe Flash Player exploit is packed with a simple RC4 packer. The RC4 key and ciphertext are BinaryData\r\nblobs that the packer uses to decrypt the layer 2 Adobe Flash Player file. Once decrypted, layer 2 is executed with\r\nloader.loadBytes.\r\nVector Corruption\r\nLayer 2 uses a classic Adobe Flash Player Vector corruption technique to develop its heap corruption vulnerability\r\nto a full relative read/write available to ActionScript3. In this technique, the attacker sprays Adobe Flash Player\r\nVectors to the heap, and triggers a write vulnerability to change the size of one of the vectors. The attacker can\r\nthen perform subsequent reads and writes to memory outside the intended boundaries of the corrupted Vector\r\nobject from AS3. For more details on this technique, see Flash in 2015.\r\nOnce the attacker has limited read/write access to memory, they choose to corrupt a second Vector to increase their\r\naccess to a range of 0x3fffffff bytes. This second Vector is used for the remainder of the exploit.\r\nReturn-Oriented Programming\r\nhttps://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html\r\nPage 2 of 6\n\nThe attackers use a ROP chain to call kernel32!VirtualAlloc to mark their shellcode as executable before jumping\r\nto their shellcode.\r\nInstead of writing their ROP chain to the heap along with their shellcode and payload, they used a different\r\ntechnique. Usually, exploit developers will corrupt a built-in Adobe Flash Player object such as a Sound object.\r\nInstead, the attackers chose to define their own class in AS3 with a function that takes a lot of arguments:\r\nclass CustomClass {\r\npublic function victimFunction(arg1:uint, arg2:uint, …, arg80:uint):uint\r\n}\r\nThen, the attackers can simply overwrite the function pointer with a gadget that adds to the stack pointer and\r\nreturns to pivot to ROP. They have no need to identify the absolute address of the ROP chain and preserve it in a\r\nregister for a typical xchg reg32, esp pivot. Additionally, storing the ROP chain on the stack will evade ROP\r\ndetection mechanisms designed around detecting when the stack pointer points outside of a thread’s stack region.\r\nthis.customObj.victimFunction(\r\n6f73b68b, // ret; (ROPsled)\r\n…,\r\n6f73b68a, //pop eax\r\n1f140100,\r\n6fd36da1, //call Kernel32!VirtualAlloc(0x1f140000, 0x10000, 0x1000, 0x40)\r\n1f140000, // Address\r\n00010000, // Size\r\n00001000, // Type\r\n00000040, // Protection = RWX\r\n6f73b68b*9 // ret (ROPsled)\r\n6fd36da7*2 // ret\r\n6f73aff0 pop ecx\r\n6fd36da7\r\n6fd36da7 jmp [eax]\r\n…\r\n)\r\nthis.customObj.victimFunction pointer modified to:\r\n00000000`6de533dc 5e pop rsi\r\n00000000`6de533dd 83c448 add esp,48h\r\n00000000`6de533e0 c3 ret\r\nLastly, the ROP chain has a ROPsled following the call to VirtualAlloc. This could just be an artifact of\r\ndevelopment, or it could be designed to bypass detection mechanisms that test for valid return addresses up to a\r\nlimited depth at calls to VirtualAlloc.\r\nFull Exploit Flow\r\n1. Create a new Video object\r\nhttps://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html\r\nPage 3 of 6\n\n2. Fetch the payload\r\n3. Attach the video to a new NetStream\r\n4. Spray the heap with Adobe Flash Player Vectors\r\na. Create a Vector containing 98688 Vectors containing 1022 uints\r\nb. Set the first two dwords in each Vector to 0x41414141, 0x42424242\r\n5. Create holes for the controlled FLV object\r\na. Free approximately every 3rd Vector in the spray\r\n6. Spray custom class objects for future control transfer\r\na. Define a new class CustomClass\r\ni. Define a function victimFunction with lots of arguments\r\nb. Create a Vector of 0x100 Vectors of 1007 references to an CustomClass instance\r\n7. Fetch and play the FLV exploit\r\na. The FLV file will allocate an attacker controlled object in one of the holes from step 5\r\nb. The attacker controlled object will overwrite the length field of an adjacent vector\r\n8. Re-fill holes from step 5 with Vectors as in step 4\r\n9. Find the corrupted vector\r\na. Search through Vectors from step 4\r\nb. Check the length of each Vector to find one that is abnormally large\r\n10. Corrupt a second Vector (Vector2)\r\na. Using the corrupted Vector from step 9 to read/write relative memory addresses\r\ni. Search memory for an adjacent vector\r\nii. Overwrite the length field with 0x3fffffff\r\niii. Verify that a corrupted vector with length 0x3fffffff now exists in the spray\r\n1. If not, undo corruption and attempt to corrupt the next vector\r\n11. Decrypt shellcode and store it and the payload on the heap\r\n12. Overwrite the CustomClass.victimFunction function pointer\r\nhttps://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html\r\nPage 4 of 6\n\na. Find the sprayed CustomClass object instance references from step 6\r\nb. The new function is a form of “pivot” that transfers control to the attacker\r\n13. Build ROP chain on the stack and call it\r\na. Find ROP gadgets in memory using Vector2\r\ni. Including a call to kernel32!VirtualAlloc\r\nb. Call the corrupted CustomClass.victimFunction from step 6.a.i\r\ni. Arguments to the function are the gadgets of the ROP chain\r\nii. They are conveniently pushed onto the stack\r\niii. Corrupted vtable from step 12 calls a pivot\r\n1. The “pivot” just adds to to the stack pointer and returns because the ROP chain is on\r\nthe stack\r\n14. ROP chain calls shellcode\r\na. Call kernel32!VirtualAlloc\r\nb. jmp to shellcode\r\n15. Shellcode calls payload\r\na. Shellcode searches memory for the payload, which is stored inside an image\r\nb. Shellcode decodes the payload by xoring each byte (that is not 0 or 0x17) with 0x17\r\nConclusion\r\nOnce APT3 has access to a target network, they work quickly and they are extremely proficient at enumerating\r\nand moving laterally to maintain their access. Additionally, this group uses zero-day exploits, continually updated\r\ncustom backdoors, and throwaway CnC infrastructure, making it difficult to track them across campaigns.\r\nAcknowledgements\r\nThank you to the following contributors to this blog!\r\n· Joseph Obed, Ben Withnell, Kevin Zuk, Genwei Jiang, and Corbin Souffrant of FireEye\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nhttps://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html\r\nPage 5 of 6\n\nSource: https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html\r\nhttps://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" ], "report_names": [ "operation-clandestine-wolf-adobe-flash-zero-day.html" ], "threat_actors": [ { "id": "13354d3f-3f40-44ec-b42a-3cda18809005", "created_at": "2022-10-25T15:50:23.275272Z", "updated_at": "2026-04-10T02:00:05.36519Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "APT3", "Gothic Panda", "Pirpi", "UPS Team", "Buckeye", "Threat Group-0110", "TG-0110" ], "source_name": "MITRE:APT3", "tools": [ "OSInfo", "schtasks", "PlugX", "LaZagne", "SHOTPUT", "RemoteCMD" ], "source_id": "MITRE", "reports": null }, { "id": "761d1fb2-60e3-46f0-9f1c-c8a9715967d4", "created_at": "2023-01-06T13:46:38.269054Z", "updated_at": "2026-04-10T02:00:02.90356Z", "deleted_at": null, "main_name": "APT3", "aliases": [ "GOTHIC PANDA", "TG-0110", "Buckeye", "Group 6", "Boyusec", "BORON", "BRONZE MAYFAIR", "Red Sylvan", "Brocade Typhoon" ], "source_name": "MISPGALAXY:APT3", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cf826655-5fcb-4331-bdc5-5ef267db9d3c", "created_at": "2025-08-07T02:03:24.631402Z", "updated_at": "2026-04-10T02:00:03.608938Z", "deleted_at": null, "main_name": "BRONZE MAYFAIR", "aliases": [ "APT3 ", "Gothic Panda ", "Pirpi", "TG-0110 ", "UPSTeam" ], "source_name": "Secureworks:BRONZE MAYFAIR", "tools": [ "Cookiecutter", "HUC Proxy Malware (Htran)", "Pirpi", "PlugX", "SplitVPN", "UPS", "ctt", "ctx" ], "source_id": "Secureworks", "reports": null }, { "id": "06f622cb-3a78-49cf-9a4c-a6007a69325f", "created_at": "2022-10-25T16:07:23.315239Z", "updated_at": "2026-04-10T02:00:04.537826Z", "deleted_at": null, "main_name": "APT 3", "aliases": [ "APT 3", "Boron", "Brocade Typhoon", "Bronze Mayfair", "Buckeye", "G0022", "Gothic Panda", "Group 6", "Operation Clandestine Fox", "Operation Clandestine Fox, Part Deux", "Operation Clandestine Wolf", "Operation Double Tap", "Red Sylvan", "TG-0110", "UPS Team" ], "source_name": "ETDA:APT 3", "tools": [ "APT3 Keylogger", "Agent.dhwf", "BKDR_HUPIGON", "Backdoor.APT.CookieCutter", "Badey", "Bemstour", "CookieCutter", "Destroy RAT", "DestroyRAT", "DoublePulsar", "EXL", "EternalBlue", "HTran", "HUC Packet Transmit Tool", "Hupigon", "Hupigon RAT", "Kaba", "Korplug", "LaZagne", "MFC Huner", "OSInfo", "Pirpi", "PlugX", "RedDelta", "RemoteCMD", "SHOTPUT", "Sogu", "TIGERPLUG", "TTCalc", "TVT", "Thoper", "Xamtrav", "remotecmd", "shareip", "w32times" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434249, "ts_updated_at": 1775792246, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26a25894944ffb493f34c8141286305665b91dcb.pdf", "text": "https://archive.orkl.eu/26a25894944ffb493f34c8141286305665b91dcb.txt", "img": "https://archive.orkl.eu/26a25894944ffb493f34c8141286305665b91dcb.jpg" } }