{
	"id": "280b6d3a-f11b-4e85-aee7-2baf8cbd4620",
	"created_at": "2026-04-06T00:20:16.951779Z",
	"updated_at": "2026-04-10T03:24:30.200594Z",
	"deleted_at": null,
	"sha1_hash": "80d61c108b874a70056d4be4c9b501a2fec1463f",
	"title": "Hypervisor Introspection Thwarts Web Memory Corruption Attack in the Wild",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 184358,
	"plain_text": "Hypervisor Introspection Thwarts Web Memory Corruption\r\nAttack in the Wild\r\nBy Michael Rosen\r\nPublished: 2020-02-10 · Archived: 2026-04-05 19:02:56 UTC\r\nNew remote memory corruption vulnerability in Internet Explorer browsers allows for full takeover of\r\ninfected systems\r\nBitdefender has confirmed exploitation in the wild of CVE-2020-0674 with analysis of 2 distinct\r\nexecutable payloads\r\nHypervisor Introspection delivers true zero-day protection by preventing all common memory exploit\r\ntechniques\r\nOn January 17, Microsoft announced Security Advisory ADV200001, describing a zero-day remote code\r\nexecution in Internet Explorer that has been actively exploited in the wild. This announcement continues the\r\nparade of devastating memory-space exploits including EternalBlue and BlueKeep.\r\nSecurity Advisory ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability\r\nCVE-2020-0674 is a recently discovered browser vulnerability in the Microsoft scripting engine that allows for\r\nremote code execution (RCE) on Internet Explorer browsers from malicious JavaScript (.js) files. The exploit\r\ncarries Microsoft’s highest severity rating of Critical and it affects Internet Explorer versions 9, 10, and 11.\r\nMicrosoft, DHS Warn of Zero-Day Attack Targeting IE Users\r\nBitdefender has confirmed that this critical vulnerability is being actively exploited in the wild. Security\r\nresearchers in Bitdefender Labs have obtained and analyzed multiple samples to explore its tactics, techniques,\r\nand procedures. We have independently verified that 2 distinct executable payloads are unleashed by the exploit\r\nand currently in circulation:\r\n785a48daa5d6d3d1abbc91eeecf9943a0fa402084cea4e66e6c2e72c76107b86\r\n53f213309adce8b2bab567a16fd1bb71cc1199c65ac384345d0877ad1e9798a2\r\nBelow are Bitdefender’s analysis and key findings concerning the exploitation of CVE-2020-0674 in the wild. We\r\nalso demonstrate the successful detection and defeat of this dangerous exploit in virtual datacenter systems\r\nprotected by Bitdefender Hypervisor Introspection (HVI)—including standard desktops, servers, and VDI\r\ndesktops. HVI prevents this type of exploit, closing the gap between the time exploit code is used in the wild and\r\nthe time the systems are patched.\r\nhttps://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild\r\nPage 1 of 3\n\nHypervisor Introspection intercepts and denies the attempt to access and overwrite protected memory areas.\r\nInstead of scanning millions of malware samples, Bitdefender Hypervisor Introspection detects all known memory\r\nattack techniques—few in number and only visible at the hypervisor level—identifying advanced and zero-day\r\nattacks as easily as any known exploit, preventing the malicious behavior from executing. HVI requires no\r\nsignature updates, since the common attack techniques remain relatively constant, even as the tools and\r\nprocedures change with each specific attack. Bitdefender Labs maintains constant vigilance, keeping pace with\r\nnew techniques and adding them to HVI’s detection stack.\r\nBitdefender Hypervisor Introspection | Stop Advanced Targeted Attacks and Prevent Breaches\r\n Key Findings\r\n1. Malicious URLs from phishing links contain multiple JavaScripts, each operating on a different version of\r\nWindows to exploit CVE-2020-0674\r\n2. When the RCE memory-space exploit is successful, the scripts download and run two distinct executable\r\nfiles in memory with the privileges of the logged-in user \r\n3. The attack attempts to access a protected memory area, to write data to read-only memory, and to execute\r\narbitrary code from a non-executable area such the heap stack or process stack\r\nhttps://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild\r\nPage 2 of 3\n\nImpact of Virtualization Security on Your VDI Environment White Paper\r\nConclusions\r\nHypervisor Introspection is essential in the virtual datacenter, where built-in protection against new memory\r\nexploits and other advanced attacks using well-known exploit techniques cannot come at the expense of VM\r\nefficiency, density, or performance. Don’t rely on vendor software patches to keep you safe, as the attackers will\r\nalways be one step ahead. Instead, proactively take away their operating space with HVI and set your defenses on\r\nthe high ground of memory space. Bitdefender has demonstrated proactive prevention of memory vulnerabilities\r\nand exploits time and again—from EternalBlue to BlueKeep and more—proving that proactive defense with\r\ndenial is always better than reactive detection.\r\nFor further information on Bitdefender Hypervisor Introspection, please download our datasheet or contact us\r\nhere.\r\nSource: https://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild\r\nhttps://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://businessinsights.bitdefender.com/hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild"
	],
	"report_names": [
		"hypervisor-introspection-thwarts-web-memory-corruption-attack-in-the-wild"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434816,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/80d61c108b874a70056d4be4c9b501a2fec1463f.pdf",
		"text": "https://archive.orkl.eu/80d61c108b874a70056d4be4c9b501a2fec1463f.txt",
		"img": "https://archive.orkl.eu/80d61c108b874a70056d4be4c9b501a2fec1463f.jpg"
	}
}