{ "id": "24fea857-b662-4f0e-a141-e9db390c9e7c", "created_at": "2026-04-06T00:14:24.48353Z", "updated_at": "2026-04-10T03:34:54.352032Z", "deleted_at": null, "sha1_hash": "b0d70fc2e1469f7c2c56e507599fac7f078cb6de", "title": "Darkhotel APT is back: Zero-day vulnerability in Microsoft VBScript is exploited | 360 Total Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 37546, "plain_text": "Darkhotel APT is back: Zero-day vulnerability in Microsoft\r\nVBScript is exploited | 360 Total Security Blog\r\nPublished: 2018-08-21 · Archived: 2026-04-05 23:13:09 UTC\r\nAug 21, 2018Elley\r\nChoose a language\r\nLearn more about 360 Total Security\r\nVBScript is available in the latest versions of Windows and Internet Explorer 11. However, Microsoft disabled\r\nVBScript execution in the latest version of Windows in the browser’s default configuration, which makes it\r\nimmune to the vulnerability. There are still other ways to load scripts. For example, applications in the Office suite\r\nrely on the IE engine to load and render web content.\r\nThe researchers of Trend Micro noticed that the VBScript vulnerability being exploited after Microsoft delivered\r\nits regular Windows update in July. The vulnerability is named as CVE-2018-8373, which was addressed in this\r\nmonth’s patch delivery. It is a use-after-free memory corruption that allows attackers to run shellcode on the\r\ncompromised computer.\r\nAfter analyzing the exploit code, the researchers found that it used the same obfuscation technique as an older\r\nVBScript vulnerability CVE-2018-8174 which is fixed in May. The older vulnerability is known as “Double Kill”,\r\nwhich was reported by Qihoo 360. The researchers of Qihoo 360 pointed out that Trend Micro’s analysis of CVE-2018-8373 referenced the same domain name embedded in Office documents to download “Double Kill” exploit\r\ncode.\r\nIn May, the researches of Qihoo 360 analyzed “Double Kill” and confirmed its association with the Darkhotel\r\ngroup (APT-C-06). The researchers drew this conclusion from the tools and methods that Darkhotel group used. It\r\nis considered that the decryption algorithm used by “Double Kill” is similar with APT-C-06, and China is one of\r\nits main targets.\r\nKaspersky Lab found Darkhotel in 2014 and has traced its activity since 2007. The experts believe that the group\r\nchronically targeted corporate executives and representatives of government organizations who stay in Asian\r\nluxury hotels.\r\nWe can conclude that Darkhotel is a highly sophisticated group or has strong financial support through its use of\r\nzero-day exploit in renown products.\r\nEarlier this month, McAfee and Intezer claimed that Darkhotel has a strong connection with North Korea. They\r\nanalyzed the malware used in multiple attacks related to North Korea. After analyzing the code used between 2008\r\nand 2017, the researchers associated these malware families together.\r\nhttps://blog.360totalsecurity.com/en/darkhotel-apt-is-back-zero-day-vulnerability-in-microsoft-vbscript-is-exploited/\r\nPage 1 of 2\n\nBased on the research, Darkhotel is directly related to the Dark Seoul malware, which has the strong connection\r\nwith “Operation Blockbuster” (an attack against Sony Pictures, which FBI believes that this is launched by North\r\nKorea).\r\nNote: This article is from Bleeping Computer.\r\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/darkhotel-apt-is-back-zero-day-vulnerability-in-microsoft-vbscript-is-exploited/\r\nhttps://blog.360totalsecurity.com/en/darkhotel-apt-is-back-zero-day-vulnerability-in-microsoft-vbscript-is-exploited/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.360totalsecurity.com/en/darkhotel-apt-is-back-zero-day-vulnerability-in-microsoft-vbscript-is-exploited/" ], "report_names": [ "darkhotel-apt-is-back-zero-day-vulnerability-in-microsoft-vbscript-is-exploited" ], "threat_actors": [ { "id": "1dadf04e-d725-426f-9f6c-08c5be7da159", "created_at": "2022-10-25T15:50:23.624538Z", "updated_at": "2026-04-10T02:00:05.286895Z", "deleted_at": null, "main_name": "Darkhotel", "aliases": [ "Darkhotel", "DUBNIUM", "Zigzag Hail" ], "source_name": "MITRE:Darkhotel", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "b13c19d6-247d-47ba-86ba-15a94accc179", "created_at": "2024-05-01T02:03:08.149923Z", "updated_at": "2026-04-10T02:00:03.763147Z", "deleted_at": null, "main_name": "TUNGSTEN BRIDGE", "aliases": [ "APT-C-06 ", "ATK52 ", "CTG-1948 ", "DUBNIUM ", "DarkHotel ", "Fallout Team ", "Shadow Crane ", "Zigzag Hail " ], "source_name": "Secureworks:TUNGSTEN BRIDGE", "tools": [ "Nemim", "Tapaoux" ], "source_id": "Secureworks", "reports": null }, { "id": "2b4eec94-7672-4bee-acb2-b857d0d26d12", "created_at": "2023-01-06T13:46:38.272109Z", "updated_at": "2026-04-10T02:00:02.906089Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "T-APT-02", "Nemim", "Nemin", "Shadow Crane", "G0012", "DUBNIUM", "Karba", "APT-C-06", "SIG25", "TUNGSTEN BRIDGE", "Zigzag Hail", "Fallout Team", "Luder", "Tapaoux", "ATK52" ], "source_name": "MISPGALAXY:DarkHotel", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434464, "ts_updated_at": 1775792094, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b0d70fc2e1469f7c2c56e507599fac7f078cb6de.pdf", "text": "https://archive.orkl.eu/b0d70fc2e1469f7c2c56e507599fac7f078cb6de.txt", "img": "https://archive.orkl.eu/b0d70fc2e1469f7c2c56e507599fac7f078cb6de.jpg" } }