{ "id": "60209af8-f90f-43cd-805d-0d3ac6739898", "created_at": "2026-04-06T00:21:26.79789Z", "updated_at": "2026-04-10T13:11:27.509482Z", "deleted_at": null, "sha1_hash": "6a34e8fd8f13ed3cff7ea5f08be2d0f4de3b847b", "title": "Sandworm Windows zero-day vulnerability being actively exploited in targeted attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 286464, "plain_text": "Sandworm Windows zero-day vulnerability being actively\r\nexploited in targeted attacks\r\nPublished: 2014-10-14 · Archived: 2026-04-05 18:54:44 UTC\r\nA critical new vulnerability in the Windows operating system is reportedly being exploited in a limited number of\r\nattacks against targets in the US and Europe. The Microsoft Windows OLE Package Manager Remote Code\r\nExecution Vulnerability (CVE-2014-4114) allows attackers to embed Object Linking and Embedding (OLE) files\r\nfrom external locations. The vulnerability can be exploited to download and install malware on to the target’s\r\ncomputer. The vulnerability appears to have been used by a cyberespionage group known as Sandworm to deliver\r\nBackdoor.Lancafdo.A (also known as the Black Energy back door) to targeted organizations.\r\nThe vulnerability affects all versions of Windows from Windows Vista Service Pack 2 right up to to Windows 8.1\r\nand Windows Server versions 2008 and 2012. It relates to how Windows handles OLE, a Microsoft technology\r\nthat allows rich data from one document to be embedded in another or a link to a document to be embedded in\r\nanother. OLE is generally used for embedding locally stored content, but this vulnerability enables the\r\nunprompted download and execution of external files.\r\nhttps://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks\r\nPage 1 of 3\n\nActive exploitation underway\r\nThe vulnerability was disclosed by iSIGHT Partners, which said that the vulnerability had already been exploited\r\nin a small number of cyberespionage attacks against NATO, several unnamed Ukrainian government\r\norganizations, a number of Western European governmental organization, companies operating in the energy\r\nsector, European telecoms firms, and a US academic organization. According to our telemetry, attacks using this\r\npayload have been underway since August. iSIGHT has attributed these attacks to an advanced persistent threat\r\n(APT) group it has named Sandworm.\r\nAttacks to date have seen targeted individuals receive a spear-phishing email containing a malicious PowerPoint\r\nfile attachment, which is detected by Symantec as Trojan.Mdropper. The PowerPoint file contains two embedded\r\nOLE documents containing URLs. If the targeted user opens the PowerPoint file, these URLs are contacted and\r\ntwo files are downloaded, one .exe and one .inf, which will install malware on the computer. Symantec detects this\r\nmalware payload as Backdoor.Lancafdo.A.\r\nOnce installed on the target’s computer, this back door allows attackers to download and install other malware.\r\nThe malware may also download updates for itself, including an information-stealing component.\r\nWhile the current exploits are using PowerPoint files, given the nature of the vulnerability, we may eventually see\r\nthis exploit crop up in different Office file types such as Word documents or Excel spreadsheets.\r\nSymantec regards this vulnerability as critical, since it allows attackers to remotely run code on the target’s\r\ncomputer. While it has been exploited on a limited basis in the wild, other groups are likely to attempt to take\r\nadvantage of it now that its existence has been publicized.\r\nAdvice for businesses and consumers\r\nSymantec advises all affected Windows users to take the following actions.\r\nImmediately apply security patches once available from Microsoft\r\nEnsure that your security software is up-to-date\r\nExercise caution when opening email attachments, particularly from unknown sources\r\nSymantec protection\r\nSymantec customers are protected against the malware being used in attacks exploiting this vulnerability with the\r\nfollowing detections.\r\nAntivirus\r\nBackdoor.Lancafdo\r\nBackdoor.Lancafdo.A\r\nTrojan.Mdropper\r\nIntrusion Prevention\r\nAttack: Malicious File Download\r\nUpdate−October 15, 2014:\r\nMicrosoft has now issued a security bulletin which provides a patch for the vulnerability. Symantec recommends\r\nhttps://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks\r\nPage 2 of 3\n\nthat all users apply the patch published in Microsoft Security Bulletin MS14-060.\r\nSource: https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-b\r\neing-actively-exploited-targeted-attacks\r\nhttps://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks" ], "report_names": [ "sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434886, "ts_updated_at": 1775826687, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6a34e8fd8f13ed3cff7ea5f08be2d0f4de3b847b.pdf", "text": "https://archive.orkl.eu/6a34e8fd8f13ed3cff7ea5f08be2d0f4de3b847b.txt", "img": "https://archive.orkl.eu/6a34e8fd8f13ed3cff7ea5f08be2d0f4de3b847b.jpg" } }