{ "id": "36b8471b-246d-4f8b-adfd-1a3c4b4533df", "created_at": "2026-04-06T00:19:35.661971Z", "updated_at": "2026-04-10T03:31:42.522873Z", "deleted_at": null, "sha1_hash": "9b8e466ddf91741346ca8f9bd3596067ddb02eac", "title": "A New Zero-Day Vulnerability Exploited in the wild – ClearSky Cyber Security", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35502, "plain_text": "A New Zero-Day Vulnerability Exploited in the wild – ClearSky\r\nCyber Security\r\nPublished: 2024-11-13 · Archived: 2026-04-05 12:35:36 UTC\r\nA new zero-day vulnerability, CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This\r\nvulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities.\r\nThe vulnerability activates URL files containing malicious code through seemingly innocuous actions:\r\nA single right-click on the file (all Windows versions).\r\nDeleting the file (Windows 10/11).\r\nDragging the file to another folder (Windows 10/11 and some Windows 7/8/8.1 configurations).\r\nThe malicious URL files were disguised as academic certificates and were initially observed being distributed\r\nfrom a compromised official Ukrainian government website.\r\nExploitation Process:\r\nThe attack begins with a phishing email sent from a compromised Ukrainian government server. The email\r\nprompts the recipient to renew their academic certificate. The email contains a malicious URL file. When the user\r\ninteracts with the URL file by right-clicking, deleting, or moving it, the vulnerability is triggered. This action\r\nestablishes a connection with the attacker’s server and downloads further malicious files, including SparkRAT\r\nmalware.\r\nSparkRAT is an open-source remote access trojan that allows the attacker to gain control of the victim’s system.\r\nThe attackers also employed techniques to maintain persistence on the infected system, ensuring their access\r\neven after a reboot.\r\nAttribution:\r\nCERT-UA linked this campaign to the threat actor UAC-0194, suspected to be Russian. ClearSky also noted\r\nsimilarities with previous campaigns by other threat actors, suggesting the use of a common toolkit or technique.\r\nRemediation:\r\nMicrosoft released a security patch for this vulnerability on November 12, 2024. Users are strongly advised to\r\nupdate their Windows systems to mitigate the risk posed by CVE-2024-43451.\r\nRead the full report:\r\nSource: https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/\r\nhttps://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/" ], "report_names": [ "0d-vulnerability-exploited-in-the_wild" ], "threat_actors": [ { "id": "dbcd2cc1-1adb-43cf-b175-a3ef4ee0d15e", "created_at": "2024-11-16T02:00:03.808384Z", "updated_at": "2026-04-10T02:00:03.767693Z", "deleted_at": null, "main_name": "UAC-0194", "aliases": [], "source_name": "MISPGALAXY:UAC-0194", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434775, "ts_updated_at": 1775791902, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b8e466ddf91741346ca8f9bd3596067ddb02eac.pdf", "text": "https://archive.orkl.eu/9b8e466ddf91741346ca8f9bd3596067ddb02eac.txt", "img": "https://archive.orkl.eu/9b8e466ddf91741346ca8f9bd3596067ddb02eac.jpg" } }