{ "id": "9b0d6ed7-fe0f-4bfb-8898-65696608beac", "created_at": "2026-04-06T00:06:29.888695Z", "updated_at": "2026-04-10T03:37:49.61617Z", "deleted_at": null, "sha1_hash": "2ad6a1195657afcb83330f09a8e098c559de8c0f", "title": "APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 828277, "plain_text": "APT28 racing to exploit CVE-2017-11292 Flash vulnerability\r\nbefore patches are deployed | Proofpoint US\r\nBy October 19, 2017 Kafeine, Pierre T\r\nPublished: 2017-10-19 · Archived: 2026-04-05 18:22:35 UTC\r\nEditor’s Note\r\nThis post will be updated as the threat is mitigated with additional C\u0026C takedowns; for now we are only sharing\r\nbasic information related to this campaign to avoid enabling actions by other threat actors. We have already\r\nincluded new IOCs following initial takedown operations and will continue to monitor and engage in mitigation\r\nefforts.\r\nOverview\r\nOn Tuesday, October 18, Proofpoint researchers detected a malicious Microsoft Word attachment exploiting a\r\nrecently patched Adobe Flash vulnerability, CVE-2017-11292. We attributed this attack to APT28 (also known as\r\nSofacy), a Russian state-sponsored group. Targeting data for this campaign is limited but some emails were sent to\r\nforeign government entities equivalent to the State Department and private-sector businesses in the aerospace\r\nindustry. The known geographical targeting appears broad, including Europe and the United States. The emails\r\nwere sent from free email services.\r\nAs we examined the document exploitation chain, we found that DealersChoice.B [2], the attack framework that\r\nthe document uses, is now also exploiting CVE-2017-11292, a Flash vulnerability that can lead to arbitrary code\r\nexecution across Windows, Mac OS, Linux, and Chrome OS systems. The vulnerability was announced and\r\npatched on Monday, October 16 [1]. At that time Kaspersky attributed the exploit use to the BlackOasis APT\r\ngroup, which is distinct from APT28. We suspect that APT28, who also possess this exploit (whether purchased,\r\ndiscovered on their own, or reverse engineered from the BlackOasis attack), may now seek to benefit from it as\r\nquickly as possible before the patch is widely deployed.\r\nThus, while this exploit is no longer a zero-day, this is only the second known campaign utilizing it reported in\r\npublic. APT28 burned their CVE-2017-0262 EPS 0-day in a similar fashion in April after Microsoft pushed an\r\nEPS exploit mitigation, which significantly reduced the impact of this exploit. [3]\r\nAnalysis\r\nThe document “World War 3.docx” contacts DealersChoice.B, APT28’s attack framework that allows loading\r\nexploit code on-demand from a command and control (C\u0026C) server. DealersChoice has previously been used to\r\nexploit a variety of Flash vulnerabilities, including CVE-2015-7645, CVE-2016-1019, CVE-2016-4117, and\r\nCVE-2016-7855 via embedded objects in crafted Microsoft Word documents.\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nPage 1 of 7\n\nFigure 1:  Decoy document used\r\nThis malicious document embeds the same Flash object twice in an ActiveX control for an unknown reason,\r\nalthough this is likely an operational mistake. The Flash files work in the same manner as the last known attack\r\nusing this tool: the embedded Flash decompresses a second Flash object that handles the communication with the\r\nexploit delivery server. The only difference is that this second Flash object is no longer stored encrypted. There\r\nare other signs that this campaign was devised hastily: for example, the actors did not change the decryption\r\nalgorithm constants as they have in the past. These particular constants were already used in a late December 2016\r\ncampaign. Each document uses a different domain for victim exploitation, while the communication protocol with\r\nthe server stayed the same as well.\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nPage 2 of 7\n\nFigure 2: Comparison of the decryption functions (lightly edited for readability) showing that the decryption\r\nalgorithm constants were not changed\r\nWe performed testing and found exploitation to be successful on:\r\nWindows 7 with Flash 27.0.0.159 and Microsoft Office 2013\r\nWindows 10 build 1607 with Flash 27.0.0.130 and Microsoft Office 2013\r\nAt this point, despite the potential impact across operating systems of this particular Flash vulnerability, Mac OS\r\ndoes not appear to be targeted by this campaign. Users running 64-bit versions of Microsoft Office 2016 and\r\nWindows 10 RS3 should be protected against this exploit as well.\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nPage 3 of 7\n\nFigure 3: Flash 27.0.0.159 exploited by DealersChoice‘s CVE-2017-11292 on Windows 7 via Microsoft Office\r\n2013\r\nFigure 4: DealersChoice Flash checkin under Windows 10 build 1607, Microsoft Word 2013, and Flash\r\n27.0.0.130\r\nThe CVE-2017-11292 exploit (Figure 5) delivered by the server is then decrypted and executed by the Flash\r\nobject handling the communications. Upon successful execution, the payload is requested, decrypted, and\r\nexecuted on the target system.\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nPage 4 of 7\n\nFigure 5: Use of the vulnerable mediacore.BufferControlParameters class\r\nAfter exploitation, DealersChoice typically delivers a stage 1 implant named Uploader [4]. In this case, it\r\ndelivered only the Uploader payload component (build 0x2125181f) without the intermediate dropper. This\r\nmalware has basic capabilities used for reconnaissance on the target systems. Uploader is also used to deploy\r\nfurther tools and implants on the system. It is worth noting that the timestamp (Wed Oct 18 01:54:28 2017 GMT)\r\npresent in in the payload indicates a very short delay between the setup of this attack and its launch.\r\nConclusion\r\nAPT28 appears to be moving rapidly to exploit this newly documented vulnerability before the available patch is\r\nwidely deployed. Because Flash is still present on a high percentage of systems and this vulnerability affects all\r\nmajor operating systems, it is critical that organizations and end users apply the Adobe patch immediately. APT28\r\nis a sophisticated state-sponsored group that is using the vulnerability to attack potentially high-value targets but it\r\nis likely that other threat actors will follow suit and attempt to exploit this vulnerability more widely, whether in\r\nexploit kits or via other attack vectors.\r\nReferences\r\n[1] https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/\r\n[2] https://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/\r\n[3] https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html\r\n[4] https://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nPage 5 of 7\n\nIOC IOC Type Description\r\n25f983961eef6751e53a72c96d35448f8b413edf727501d0990f763b8c5e900b sha256\r\nDecoy/Exploit\r\nDocument\r\n416467f8975036bb06c2b5fca4daeb900ff5f25833d3cdb46958f0f0f26bec82 sha256\r\nAPT28\r\nUploader\r\nVariant\r\nblackpartshare[.com|185.86.150.244 Domain|IP\r\nDealersChoice\r\nC\u0026C (now\r\ntaken down)\r\nmountainsgide[.com|185.86.150.244 Domain|IP\r\nDealersChoice\r\nC\u0026C (now\r\ntaken down)\r\ncontentdeliverysrv[.net|142.91.104.106 Domain|IP\r\nDealersChoice\r\nC\u0026C (now\r\ntaken down)\r\nspace-delivery[.com|86.106.131.141 Domain|IP\r\nAPT28\r\nuploader C\u0026C\r\nET and ETPRO Suricata/Snort Signatures\r\n2014726 || ET POLICY Outdated Flash Version M1\r\n2823078 || ETPRO TROJAN APT28 DealersChoice CnC Beacon M1\r\n2823642 || ETPRO TROJAN APT28 DealersChoice CnC Beacon Response\r\n2023916 || ET TROJAN APT28 Uploader Variant CnC Beacon\r\n2828341 || ETPRO TROJAN APT28 DealersChoice DNS Lookup\r\n2828342 || ETPRO TROJAN APT28 Uploader DNS Lookup\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nPage 6 of 7\n\nSource: https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nhttps://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" ], "report_names": [ "apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed" ], "threat_actors": [ { "id": "10ad5c1d-5030-4300-be4e-6d24b40a6330", "created_at": "2022-10-25T16:07:23.400966Z", "updated_at": "2026-04-10T02:00:04.581114Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "ETDA:BlackOasis", "tools": [ "FinFisher", "FinFisher RAT", "FinSpy", "Wingbird" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5200f27d-0d0a-49e9-a9de-9612971126c2", "created_at": "2023-01-06T13:46:38.959648Z", "updated_at": "2026-04-10T02:00:03.163547Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "G0063" ], "source_name": "MISPGALAXY:BlackOasis", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1ba9c064-34d2-48b5-a08c-04d241b00ebe", "created_at": "2022-10-25T15:50:23.734241Z", "updated_at": "2026-04-10T02:00:05.404606Z", "deleted_at": null, "main_name": "BlackOasis", "aliases": [ "BlackOasis" ], "source_name": "MITRE:BlackOasis", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433989, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2ad6a1195657afcb83330f09a8e098c559de8c0f.pdf", "text": "https://archive.orkl.eu/2ad6a1195657afcb83330f09a8e098c559de8c0f.txt", "img": "https://archive.orkl.eu/2ad6a1195657afcb83330f09a8e098c559de8c0f.jpg" } }