{
	"id": "6dd34990-6c5d-45e5-8cfa-b15c14d1749a",
	"created_at": "2026-04-06T00:19:14.829349Z",
	"updated_at": "2026-04-10T13:11:22.661052Z",
	"deleted_at": null,
	"sha1_hash": "c1ad568ce93baec700467536c76fc21174bca41f",
	"title": "PuzzleMaker attacks with Chrome zero-day exploit chain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 241576,
	"plain_text": "PuzzleMaker attacks with Chrome zero-day exploit chain\r\nBy Costin Raiu\r\nPublished: 2021-06-08 · Archived: 2026-04-05 16:34:04 UTC\r\nOn April 14-15, 2021, Kaspersky technologies detected a wave of highly targeted attacks against multiple\r\ncompanies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft\r\nWindows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE)\r\nin the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was\r\nused to escape the sandbox and obtain system privileges.\r\nThe elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows\r\n10 (17763 – RS5, 18362 – 19H1, 18363 – 19H2, 19041 – 20H1, 19042 – 20H2) and it exploits two distinct\r\nvulnerabilities in the Microsoft Windows OS kernel. On April 20, 2021, we reported these vulnerabilities to\r\nMicrosoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956\r\nto the elevation of privilege vulnerability. Both vulnerabilities were patched on June 8, 2021, as a part of the June\r\nPatch Tuesday.\r\nRemote code execution exploit\r\nAll of the observed attacks were conducted through Chrome browser. Unfortunately, we were unable to retrieve\r\nthe JavaScript with full exploit code, but the timeframe of attacks and events preceding it led us to suspect one\r\nparticular vulnerability.\r\nOn April 6-8, 2021 the Pwn2Own competition took place. This is a computer hacking contest where the Google\r\nChrome web browser was one of the targets. According to the ZDI (Zero Day Initiative, the organizer of\r\nPwn2Own) website, one participating team was able to demonstrate a successful exploitation of the Chrome\r\nrenderer process using a Typer Mismatch bug.\r\nOn April 12, 2021, the developers of Chromium committed two (issue 1196683, issue 1195777) Typer-related bug\r\nfixes to the open-source repository of V8 – a JavaScript engine used by Chrome and Chromium web browsers.\r\nOne of these bug fixes (issue 1196683) was intended to patch a vulnerability that was used during Pwn2Own, and\r\nboth bug fixes were committed together with regression tests – JavaScript files to trigger these vulnerabilities.\r\nLater on the same day, a user with the Twitter handle @r4j0x00 published a working remote code execution\r\nexploit on GitHub, targeting an up-to-date version of Google Chrome. That exploit used a vulnerability from issue\r\n1196683 to execute a shellcode in the context of the browser renderer process.\r\nhttps://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nPage 1 of 7\n\nScreenshot of tweet with Chrome zero-day published on April 12, 2021\r\nThe published exploit didn’t contain a sandbox escape exploit and was therefore intended to work only when the\r\nbrowser was launched with the command line option –no-sandbox.\r\nOn April 13, 2021, Google released Chrome update 89.0.4389.128 for Windows, Mac and Linux with a fix for\r\ntwo vulnerabilities; CVE-2021-21220 (used during Pwn2Own) was one of them.\r\nSome of our customers who were attacked on April 14-15, 2021, already had their Chrome browser updated to\r\n89.0.4389.128, and that’s why we think the attackers didn’t use CVE-2021-21220 in their attacks.\r\nOn April 14, 2021, Google released Chrome update 90.0.4430.72 for Windows, Mac and Linux with a fix for 37\r\nvulnerabilities. On the same day, a new Chrome exploit was presented to the public.\r\nhttps://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nPage 2 of 7\n\nScreenshot of GitHub repository with Chrome zero-day published on April 14, 2021\r\nThis newly published exploit used a vulnerability from issue 1195777, worked on the newly released Chrome\r\n90.0.4430.72, and was fixed as CVE-2021-21224 only a few days later, on April 20, 2021.\r\nWe suspect the attackers were also able to use this JavaScript file with regression test to develop the exploit (or\r\nacquire it from someone else) and were probably using CVE-2021-21224 in their attacks.\r\nElevation of privilege exploit\r\nCVE-2021-31955 is an information disclosure vulnerability in ntoskrnl.exe. The vulnerability is affiliated with a\r\nWindows OS feature called SuperFetch. It was introduced in Windows Vista and is aimed to reduce software\r\nloading times by pre-loading commonly used applications into memory. For SuperFetch purposes the function\r\nNtQuerySystemInformation implements a special system information class SystemSuperfetchInformation. This\r\nsystem information class incorporates more than a dozen of different SuperFetch information classes. The\r\nvulnerability lies in the fact that data returned by the NtQuerySystemInformation function for the SuperFetch\r\ninformation class SuperfetchPrivSourceQuery contains EPROCESS kernel addresses for currently executed\r\nprocesses.\r\nIt’s noteworthy that this vulnerability can be observed in code that was available on GitHub for a few years before\r\nwe caught it in the wild and Microsoft patched it.\r\nhttps://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nPage 3 of 7\n\nCVE-2021-31955 can be observed in the source code of the MemInfo utility\r\nThe other vulnerability, CVE-2021-31956, is a heap-based buffer overflow in ntfs.sys. The function\r\nNtfsQueryEaUserEaList processes a list of extended attributes for the file and stores the retrieved values to buffer.\r\nThis function is accessible via ntoskrnl syscall and among other things it’s possible to control the size of the\r\noutput buffer. If the size of the extended attribute is not aligned, the function will calculate a padding and the next\r\nextended attribute will be stored 32-bit aligned. The code checks if the output buffer is long enough to fit the\r\nextended attribute with padding, but it doesn’t check for possible integer-underflow. As a result, a heap-based\r\nbuffer overflow can happen.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\nfor ( cur_ea_list_entry = ea_list; ; cur_ea_list_entry = next_ea_list_entry )\r\n{\r\n  ...\r\n  out_buf_pos = (DWORD *)(out_buf + padding + occupied_length);\r\n  if ( NtfsLocateEaByName(eas_blocks_for_file, eas_blocks_size, \u0026name, \u0026ea_block_pos) )\r\n  {\r\nea_block = eas_blocks_for_file + ea_block_pos;\r\nea_block_size = ea_block-\u003eDataLength + ea_block-\u003eNameLength + 9;\r\nif ( ea_block_size \u003c= out_buf_length - padding ) // integer-underflow is possible\r\nhttps://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nPage 4 of 7\n\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n{\r\n   memmove(out_buf_pos, (const void *)ea_block, ea_block_size); // heap buffer overflow\r\n   *out_buf_pos = 0;\r\n}\r\n  }\r\n  else\r\n  {\r\n...\r\n  }\r\n  ...\r\n  occupied_length += ea_block_size + padding;\r\n  out_buf_length -= ea_block_size + padding;\r\n  padding = ((ea_block_size + 3) \u0026 0xFFFFFFFC) - ea_block_size;\r\n  ...\r\n}\r\nPseudo-code for vulnerable code in function NtfsQueryEaUserEaList\r\nThe exploit uses CVE-2021-31956 along with Windows Notification Facility (WNF) to create arbitrary memory\r\nread and write primitives. We are planning to publish more information about this technique in the future.\r\nAs the exploit uses CVE-2021-31955 to get the kernel address of the EPROCESS structure, it is able to use the\r\ncommon post exploitation technique to steal SYSTEM token. However, the exploit uses a rarely used\r\n“PreviousMode” technique instead. We have seen this technique used by the CHAINSHOT framework and even\r\nhttps://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nPage 5 of 7\n\nmade a presentation about it at CanSecWest/BlueHat in 2019. The exploit uses this technique to inject a malware\r\nmodule into the system process and execute it.\r\nMalware modules\r\nBesides the aforementioned exploits, the full attack chain consists of four additional malware modules, which will\r\nbe referred to as:\r\nStager\r\nDropper\r\nService\r\nRemote shell\r\nThe stager module is used to notify that exploitation was successful. It also downloads and executes a more\r\ncomplex malware dropper module from a remote server. Each stager module is delivered to the victim with a\r\npersonalized configuration blob that defines the C\u0026C URL, Session ID, keys to decrypt the next stage of\r\nmalware, and other information.\r\nAll the stager module samples that we’ve discovered so far were configured to use the same URL address –\r\nhxxps://p{removed}/metrika_upload/index.php – to download the encrypted malware dropper module.\r\nWe believe there is a chance that the remote code execution JavaScript exploit was also hosted on the same\r\nlegitimate-looking geopolitical news portal, but we found no evidence of a classic watering hole attack. The\r\nvictimology suggests a highly targeted delivery of exploits.\r\nThe dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft\r\nWindows OS. One of these files (%SYSTEM%\\WmiPrvMon.exe) is registered as a service and is used as a\r\nlauncher for the second executable. This second executable (%SYSTEM%\\wmimon.dll) has the functionality of a\r\nremote shell and can be considered the main payload of the attack. We couldn’t find any similarities between this\r\nand other known malware.\r\nThe remote shell module has a hardcoded URL of the C\u0026C server inside (media-seoengine[.]com). All the\r\ncommunication between C\u0026C server and client is authorized and encrypted. The remote shell module is able to\r\ndownload and upload files, create processes, sleep for specified amounts of time and delete itself from the\r\ncompromised machine.\r\nNone of the artifacts we analyzed appear to have strong connections to any known threat actors. The only\r\nsimilarity to CHAINSHOT we observed is the “PreviousMode” technique, although this is publicly known and\r\nmay be used by various groups. We are calling the threat actor behind these attacks PuzzleMaker.\r\nKaspersky products detect this exploit and malware modules with the verdicts:\r\nPDM:Exploit.Win32.Generic\r\nPDM:Trojan.Win32.Generic\r\nUDS:DangerousObject.Multi.Generic\r\nhttps://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nPage 6 of 7\n\nKaspersky products detected these attacks with the help of the Behavioral Detection Engine and the Exploit\r\nPrevention component. Over the past few years, we have built a multitude of exploit protection technologies into\r\nour products that have detected many zero-days, repeatedly proving their effectiveness. We will continue to\r\nimprove defenses for our users by enhancing technologies and working with third-party vendors to patch\r\nvulnerabilities, making the internet more secure for everyone.\r\nMore information about these attacks and the actor behind them is available to customers of the Kaspersky\r\nIntelligence Reporting service. Contact: intelreports@kaspersky.com.\r\nKaspersky would like to thank Microsoft for their prompt analysis of the report and patches.\r\nIoCs\r\nmedia-seoengine[.]com\r\n%SYSTEM%\\WmiPrvMon.exe\r\nMD5 09A5055DB44FC1C9E3ADD608EFFF038C\r\nSHA-1 BFFA4462901B74DBFBFFAA3A3DB27DAA61211412\r\nSHA-256 982F7C4700C75B81833D5D59AD29147C392B20C760FE36B200B541A0F841C8A9\r\n%SYSTEM%\\wmimon.dll\r\nMD5 D6B850C950379D5EE0F254F7164833E8\r\nSHA-1 E63ED3B56A5F9A1EA5C92D3D2444196EA13BE94B\r\nSHA-256 8A17279BA26C8FBE6966EA3300FDEFB1ADAE1B3ED68F76A7FC81413BD8C1A5F6\r\nSource: https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nhttps://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/"
	],
	"report_names": [
		"102771"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434754,
	"ts_updated_at": 1775826682,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c1ad568ce93baec700467536c76fc21174bca41f.pdf",
		"text": "https://archive.orkl.eu/c1ad568ce93baec700467536c76fc21174bca41f.txt",
		"img": "https://archive.orkl.eu/c1ad568ce93baec700467536c76fc21174bca41f.jpg"
	}
}