{
	"id": "54c011a8-f099-4088-9994-6180505ef3f1",
	"created_at": "2026-04-06T00:15:07.064482Z",
	"updated_at": "2026-04-10T03:21:37.908111Z",
	"deleted_at": null,
	"sha1_hash": "84eb701235ada8e5d9704f043c4f714db2b959cd",
	"title": "Malvertising Leading To Flash Zero Day Via Angler EK | Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 386234,
	"plain_text": "Malvertising Leading To Flash Zero Day Via Angler EK | Blog\r\nBy Deepen Desai\r\nPublished: 2015-01-22 · Archived: 2026-04-05 21:19:10 UTC\r\nUPDATE [01/25/2015]: Adobe released an update yesterday (APSA15-01) for CVE-2015-0311 that fixes the\r\nzero day exploit mentioned in this blog. Given the number of exploit attempts we are seeing for this vulnerability\r\nin the wild, it is critical for users to update the Adobe Flash player to the latest version 16.0.0.296.\r\nBackground\r\nEarlier this week, Kafeine published a blog mentioning an Angler Exploit Kit (EK) instance serving a possible\r\nzero day Adobe Flash exploit payload. The ThreatLabZ Research Team reviewed Angler Exploit Kit activity\r\nacross the cloud and were able to identify multiple instances of Angler Exploit Kit hosting sites serving a new\r\nAdobe Flash payload that is able to exploit the latest Flash Player version 16.0.0.257.  [Adobe released a patch\r\n(APSB15-02) for CVE-2015-0310 today and we can confirm that the patch\r\ndoes not\r\nprevent exploitation of the 0day discussed in this blog. The latest version 16.0.0.287 is still vulnerable and is being\r\nactively exploited in the wild.]\r\nUpon further investigation, we discovered that this appears to be yet another case of a Malvertising campaign\r\nleading unsuspecting users to Angler EK instances. Upon successful exploitation, we observed a new variant of\r\nthe Bedep Trojan getting dropped and executed on the victim machine. We tested this on a Windows 7 64-bit\r\nsystem and the payload dropped was a 64-bit Bedep Trojan variant which generated a high volume of AdFraud\r\ntraffic from the infected system.\r\nThe affected advertising networks found in this case were:\r\noneclickads.net\r\nadcash.com\r\nInfection Cycle\r\nThe infection cycle involves users visiting a legitimate site that displays certain advertisements from the\r\ncompromised advertising networks, which will redirect them to an Angler EK hosting site and begin the exploit\r\ncycle. If the exploit is successful, a new variant of Bedep Trojan gets downloaded in an encrypted form and\r\ninstalled on the target system.\r\nThe entire infection cycle occurs silently in the background and is completely transparent to the end user.\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 1 of 8\n\nThe exploit page has the title \"Welcome to new site\" and is comprised of 220 hidden input elements, followed by\r\nthree inline scripts.\r\nThe first script code snippet is obfuscated with block comment text (ie: /* random text */), but also appears\r\npurposefully broken for multiple JavaScript engines. Looking at the code, there are multiple period characters\r\ninserted throughout the script which leads to syntax errors at runtime:\r\n \r\nThe second script code snippet calls a function in the first script leading to \"eval\" and resulting in JavaScript code\r\nthat performs Browser plugin detection:\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 2 of 8\n\nThe third script code snippet drew our attention, as it is not obfuscated and simply loads an SWF object. This\r\nscript serves the Adobe Flash 0-day and it is interesting to note that the script will only execute if the earlier script\r\nhas thrown an error. The flash payload is only triggered if a variable defined in the first script is undefined:\r\n \r\nSuccessful exploitation will result in download of the Bedep Trojan payload that appears to be encrypted using an\r\nincremental XOR technique.\r\nMalware Payload activity - Bedep Trojan\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 3 of 8\n\nThe malware payload dropped is a 64-bit DLL belonging to Bedep Trojan family.  This malware family is known\r\nto download additional malware. It is also responsible for generating AdFraud and ClickFraud activity from the\r\ninfected system.\r\nFile: neth.dll\r\nSize: 219608\r\nMD5: EFB584DEA6CBC03765487633BD5A5920\r\nCompiled: Wed, Nov 28 2007, 15:51:15  - 64 Bit DLL\r\nVersion: 5.3.3790.3959 (srv03_sp2_rtm.070216-1710)\r\nIt drops a copy of itself at the following locations:\r\nC:\\ProgramData\\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\neth.dll\r\nC:\\Users\\All Users\\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\neth.dll\r\nIt creates the following registry entries to achieve persistence in a discreet manner:\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\\InprocServer32\\:\r\n\"C:\\ProgramData\\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\neth.dll\"\r\nHKLM\\SOFTWARE\\Classes\\CLSID\\{F6BF8414-962C-40FE-90F1-\r\nB80A7E72DB9A}\\InprocServer32\\ThreadingModel: \"Apartment\"\r\nHKU\\S-USERID-1000_Classes\\CLSID\\{F6BF8414-962C-40FE-90F1-B80A7E72DB9A}\\InprocServer32\\:\r\n\"C:\\ProgramData\\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\\neth.dll\"\r\nHKU\\S-USERID-1000_Classes\\CLSID\\{F6BF8414-962C-40FE-90F1-\r\nB80A7E72DB9A}\\InprocServer32\\ThreadingModel: \"Apartment\"\r\nThis ensures that it runs in the context of system process \"explorer.exe\":\r\nIt appears to determine the infected system's timezone and location by connecting to \"earthtools.org\", however we\r\nnoticed that it is not able to supply the latitude and longitude parameters in the request, essentially resulting in\r\ngetting back UTC date and time information.\r\nIt employs a Domain Generation Algorithm technique to hide the actual Command \u0026 Control server as seen\r\nbelow:\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 4 of 8\n\nWe found the following two C\u0026C domains registered in past 48 hours:\r\ngaabbezrezrhe1k.com\r\nwzrdirqvrh07.com\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 5 of 8\n\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 6 of 8\n\nIt attempts to connect to these Command \u0026 Control servers to report the infection and receive further instructions.\r\nIt presumably gets a list of ClickFraud tasking servers, following which we started seeing high volume of\r\nClickFraud activity.\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 7 of 8\n\nConclusion\r\nThis is the first 0Day Adobe Flash Player exploit for year 2015 and not surprisingly, we are seeing it getting\r\nserved through a malvertising campaign. The fact that the end malware payload getting served in this case is also\r\ninvolved in AdFraud activity leads us into believing that this campaign appears to be from a gang indulging in\r\nClickFraud and AdFraud activity.\r\nZscaler ThreatLabZ has deployed multiple layers of protection against this threat to ensure that the customers are\r\nprotected.\r\nAnalysis by Deepen Desai \u0026 John Mancuso\r\nSource: https://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nhttps://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/malvertising-leading-flash-zero-day-angler-exploit-kit"
	],
	"report_names": [
		"malvertising-leading-flash-zero-day-angler-exploit-kit"
	],
	"threat_actors": [],
	"ts_created_at": 1775434507,
	"ts_updated_at": 1775791297,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84eb701235ada8e5d9704f043c4f714db2b959cd.pdf",
		"text": "https://archive.orkl.eu/84eb701235ada8e5d9704f043c4f714db2b959cd.txt",
		"img": "https://archive.orkl.eu/84eb701235ada8e5d9704f043c4f714db2b959cd.jpg"
	}
}