{ "id": "f8d5329f-dc2e-4bec-9297-77752657487d", "created_at": "2026-04-06T00:11:14.567181Z", "updated_at": "2026-04-10T03:28:34.737629Z", "deleted_at": null, "sha1_hash": "8a0f5da9a44cc0b3e55970d8286dd6d668a52f90", "title": "Threat Groups SandCat, FruityArmor Exploiting Microsoft Win32k Flaw", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 63188, "plain_text": "Threat Groups SandCat, FruityArmor Exploiting Microsoft\r\nWin32k Flaw\r\nBy Lindsey O'Donnell\r\nPublished: 2019-03-13 · Archived: 2026-04-05 23:03:27 UTC\r\nNewly patched CVE-2019-0797 is being actively exploited by two APTs, FruityArmor and SandCat.\r\nA newly-patched Microsoft Win32k vulnerability is being exploited in the wild by at least two threat actors,\r\nincluding a recently discovered advanced persistent threat (APT) group dubbed SandCat.\r\nThe exploited vulnerability (CVE-2019-0797), rated important, was patched on Tuesday as part of Microsoft’s\r\nregularly scheduled March security update. But Kaspersky Lab researchers said that the vulnerability is already\r\nbeing used by two APTs, SandCat and FruityArmor, to run arbitrary code on target systems.\r\nSandCat is an APT that was discovered only recently, researchers Vasiliy Berdnikov and Boris Larin said in a\r\nWednesday deep dive analysis of the vulnerability and its exploits.\r\n“SandCat is a relatively new APT group; we first observed them in 2018, although it would appear they have been\r\naround for some time,” Costin Raiu, director of global research and analysis team at Kaspersky Lab, told\r\nThreatpost. “They use both FinFisher/FinSpy [spyware] and the CHAINSHOT framework in attacks, coupled\r\nwith various zero-days. Targets of SandCat have been mostly observed in Middle East, including but not limited to\r\nSaudi Arabia.”\r\nMeanwhile, the FruityArmor APT group is an under-the-radar cyber-espionage gang also active in the Middle\r\nEast, which has been around for some time, Raiu said. FruityArmor has been known to exploit other zero days,\r\nincluding one (CVE-2018-8453) back in October 2018.\r\n“The earliest publication from our side on them is from 2016, when we identified another zero day (CVE-2016-\r\n3393) being used by this group,” Raiu told Threatpost. “Victims of FruityArmor are generally located in Middle\r\nEast, but they are known to target journalists and activists in other regions as well.”\r\nThe new exploit found in the wild is targeting 64-bit operating systems in the range from Windows 8 to Windows\r\n10 build 15063.\r\n“As we can see from the zero-day used in the wild, exploitation of this vulnerability is not difficult and is reliable\r\nfor 64-bit operating systems in the range from Windows 8 to Windows 10 build 15063,” Kaspersky Lab’s Larin\r\ntold Threatpost.\r\nBoth Mideast-focused APTs are selectively choosing their targets, researchers said.\r\nhttps://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/\r\nPage 1 of 2\n\n“We observed very few attempts to exploit this vulnerability, in targeted attacks,” Raiu told Threatpost. “This is\r\ngenerally the case with high-profile zero-days, which are used only for high-value targets in what can be\r\nconsidered surgical campaigns.”\r\nThe Vulnerability\r\nCVE-2019-0797 is an elevation of privilege vulnerability, which exists in Windows when the Win32k component\r\nfails to properly handle objects in memory. Win32k is the Windows kernel driver.\r\nSpecifically, the flaw is a race condition that is present in the win32k driver due to a lack of proper\r\nsynchronization between undocumented system calls (NtDCompositionDiscardFrame and\r\nNtDCompositionDestroyConnection), researchers said. A race condition occurs when system attempts to perform\r\ntwo or more operations at the same time.\r\nTo exploit this, an attacker could first execute the system calls NtDCompositionDiscardFrame and\r\nNtDCompositionDestroyConnection simultaneously.\r\nWhen this happens, the system call NtDCompositionDiscardFrame will look for a frame to release. During that\r\ntime, the attacker would execute the function DiscardAllCompositionFrames; This condition leads to a use-after-free scenario, which is a type of memory-corruption flaw that can be leveraged by hackers to execute arbitrary\r\ncode.\r\nThat means an attacker who successfully exploits this vulnerability could run arbitrary code in kernel mode – and\r\ncould then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n“An attacker could…run a specially crafted application that could exploit the vulnerability and take control of an\r\naffected system,” according to Microsoft’s advisory.\r\nImportantly, to exploit the vulnerability, an attacker would first have to log on to the system.\r\nResearchers reported the flaw to Microsoft on Feb. 22.  Microsoft’s subsequent update, released on Patch Tuesday,\r\naddresses the vulnerability by correcting how Win32k handles objects in memory.\r\nDon’t miss our free live Threatpost webinar, “Exploring the Top 15 Most Common Vulnerabilities with\r\nHackerOne and GitHub,” on Wed., Mar 20, at 2:00 p.m. ET.\r\nVulnerability experts Michiel Prins, co-founder of webinar sponsor HackerOne, and Greg Ose, GitHub’s\r\napplication security engineering manager, will join Threatpost editor Tom Spring to discuss what vulnerability\r\ntypes are most common in today’s software, and what kind of impact they would have on organizations if\r\nexploited.\r\nSource: https://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/\r\nhttps://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/sandcat-fruityarmor-exploiting-microsoft-win32k/142751/" ], "report_names": [ "142751" ], "threat_actors": [ { "id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a", "created_at": "2022-10-25T16:07:24.228663Z", "updated_at": "2026-04-10T02:00:04.905195Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038", "Project Raven", "Stealth Falcon" ], "source_name": "ETDA:Stealth Falcon", "tools": [ "Deadglyph", "StealthFalcon" ], "source_id": "ETDA", "reports": null }, { "id": "77aedfa3-e52b-4168-8269-55ccec0946f7", "created_at": "2023-01-06T13:46:38.453791Z", "updated_at": "2026-04-10T02:00:02.981559Z", "deleted_at": null, "main_name": "Stealth Falcon", "aliases": [ "FruityArmor", "G0038" ], "source_name": "MISPGALAXY:Stealth Falcon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d", "created_at": "2023-01-06T13:46:38.931567Z", "updated_at": "2026-04-10T02:00:03.149736Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "MISPGALAXY:SandCat", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d", "created_at": "2022-10-25T16:07:24.149987Z", "updated_at": "2026-04-10T02:00:04.882099Z", "deleted_at": null, "main_name": "SandCat", "aliases": [], "source_name": "ETDA:SandCat", "tools": [ "CHAINSHOT", "FinFisher", "FinFisher RAT", "FinSpy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434274, "ts_updated_at": 1775791714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8a0f5da9a44cc0b3e55970d8286dd6d668a52f90.pdf", "text": "https://archive.orkl.eu/8a0f5da9a44cc0b3e55970d8286dd6d668a52f90.txt", "img": "https://archive.orkl.eu/8a0f5da9a44cc0b3e55970d8286dd6d668a52f90.jpg" } }