{ "id": "2b81bf9a-4b6b-4f21-9755-7bce31056f1c", "created_at": "2026-04-06T00:18:33.94889Z", "updated_at": "2026-04-10T13:11:31.346855Z", "deleted_at": null, "sha1_hash": "c6f790c7284e57100b6ba5d19f0e034f9d92126e", "title": "Operation Daybreak", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 421290, "plain_text": "Operation Daybreak\r\nBy Costin Raiu\r\nPublished: 2016-06-17 · Archived: 2026-04-05 13:46:10 UTC\r\nEarlier this year, we deployed new technologies in Kaspersky Lab products to identify and block zero-day attacks.\r\nThis technology already proved its effectiveness earlier this year, when it caught an Adobe Flash zero day exploit\r\n(CVE-2016-1010). Earlier this month, our technology caught another zero-day Adobe Flash Player exploit\r\ndeployed in targeted attacks. We believe the attacks are launched by an APT Group we track under the codename\r\n“ScarCruft”.\r\nScarCruft is a relatively new APT group; victims have been observed in Russia, Nepal, South Korea, China, India,\r\nKuwait and Romania. The group has several ongoing operations, utilizing multiple exploits — two for Adobe\r\nFlash and one for Microsoft Internet Explorer.\r\nOperation Daybreak appears to have been launched by ScarCruft in March 2016 and employs a previously\r\nunknown (0-day) Adobe Flash Player exploit. It is also possible that the group deployed another zero day exploit,\r\nCVE-2016-0147, which was patched in April.\r\nThis exploit caught by our technologies highlights a few very interesting evasion methods, some of which we\r\nhaven’t seen before. We describe them below.\r\nOperation Daybreak general information\r\nOperation Daybreak appears to have been launched by unknown attackers to infect high profile targets through\r\nspear-phishing e-mails. To date, we have observed more than two dozen victims for these attacks.\r\nAlthough the exact attack vector remains unknown, the targets appear to receive a malicious link which points to a\r\nhacked website where the exploitation kit is hosted. The hacked web server hosting the exploit kit is associated\r\nwith the ScarCruft APT and used in another line of attacks. Certain details, such as using the same infrastructure\r\nand targeting, make us believe that Operation Daybreak is being done by the ScarCruft APT group.\r\nThe ScarCruft APT group is a relatively new player and managed to stay under the radar for some time. In\r\ngeneral, their work is very professional and focused. Their tools and techniques are well above the average. Prior\r\nto the discovery of Operation Daybreak, we observed the ScarCruft APT launching a series of attacks in Operation\r\nErebus. Operation Erebus leverages another Flash Player exploit (CVE-2016-4117) through the use of watering\r\nhole attacks.\r\nIn the case of Operation Daybreak, the hacked website hosting the exploit kit performs a couple of browser checks\r\nbefore redirecting the visitor to a server controlled by the attackers hosted in Poland.\r\nThe main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JS.\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 1 of 8\n\nThe parameters sent to the “ap.php” script are randomly generated on each hit, so the second stage payload gets\r\nencrypted differently each time. This prevents easy detection by MD5 or signatures of the second stage payload.\r\nThe exploitation process consists of three Flash objects. The Flash object that triggers the vulnerability in Adobe\r\nFlash Player is located in second SWF delivered to the victim.\r\nAt the end of the exploitation chain, the server sends a legitimate PDF file to user – “china.pdf”. The “china.pdf”\r\nfile shown to the victims in the last stage of the attack seems to be written in Korean:\r\nDecoy document shown to victims\r\nThe document text talks about disagreements between China and “The North” over nuclear programs and\r\ndemilitarization.\r\nVulnerability technical details\r\nThe vulnerability (CVE-2016-4171) is located in the code which parses the ExecPolicy metadata information.\r\nThis is what the structure looks like:\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 2 of 8\n\nThis structure also contains an array of item_info structures:\r\nThe documentation says the following about these structures:\r\n“The item_info entry consists of item_count elements that are interpreted as key/value pairs of indices into the\r\nstring table of the constant pool. If the value of key is zero, this is a keyless entry and only carries a value.”\r\nIn the exploit used by the ScarCruft group, we have the following item_info structures:\r\nItem_info array in exploit object\r\nThe code that triggers the vulnerability parses this structure and, for every key and value members, tries to get the\r\nrespective string object from string constant pool. The problem relies on the fact that the “.key” and “.value”\r\nmembers are used as indexes without any kind of boundary checks. It is easy to understand that if key or value\r\nmembers are larger than string constant pool array, a memory corruption problem appears. It is also important to\r\nmention that this member’s (value, key) are directly read from SWF object, so an attacker can easily use them to\r\nimplement arbitrary read/write operations.\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 3 of 8\n\nGetting object by index from constant pool without any checks\r\nUsing this vulnerability, the exploit implements a series of writes at specified addresses to achieve full remote\r\ncode execution.\r\nBypassing security solutions through DDE\r\nThe Operation Daybreak attack employs multiple stages, which are all outstanding in some way. One of them\r\nattracted our attention because it implements a bypass for security solutions we have never seen before.\r\nIn the first stage of the attack, the decrypted shellcode executed by the exploit downloads and executes a special\r\nDLL file. This is internally called “yay_release.dll”:\r\nSecond stage DLL internal name and export\r\nThe code of this module is loaded directly into the exploited application and has several methods of payload\r\nexecution. One of method uses a very interesting technique of payload execution which is designed mostly to\r\nbypass modern anti-malware products. This uses an interesting bug in the Windows DDE component. It is not a\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 4 of 8\n\nsecret that anti-malware systems trigger on special system functions that are called in the context of potential\r\nvulnerable applications to make a deeper analysis of API calls such as CreateProcess, WinExec or ShellExecute.\r\nFor instance, such defense technologies trigger if a potentially vulnerable application such as Adobe Flash starts\r\nother untrusted applications, scripts interpreters or even the command console.\r\nTo make execution of payload invisible for these defense systems, the threat actors used the Windows DDE\r\ninterface in a very clever way. First, they register a special window for it:\r\nIn the window procedure, they post WM_DDE_EXECUTE messages with commands:\r\nSending WM_DDE_EXECUTE message to window\r\nThe attackers used the following commands:\r\nThe main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method,\r\nthe program will be executed. This is an undocumented behavior in Microsoft Windows.\r\nIn our case, a malicious VBS was executed, which installs a next stage payload stored in CAB file:\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 5 of 8\n\nMalicious VBS used in the attack\r\nWe have reported this “creative” abuse of DDE to Microsoft’s security team.\r\nThe final payload of the attack is a CAB file with the following MD5:\r\n8844a537e7f533192ca8e81886e70fbc\r\nThe MS CAB file (md5: 8844a537e7f533192ca8e81886e70fbc) contains 4 malicious DLL files:\r\nMD5 Filename\r\na6f14b547d9a7190a1f9f1c06f906063 cfgifut.dll\r\ne51ce28c2e2d226365bc5315d3e5f83e cldbct.dll\r\n067681b79756156ba26c12bc36bf835c cryptbase.dll\r\nf8a2d4ddf9dc2de750c8b4b7ee45ba3f msfte.dll\r\nThe file cldbct.dll (e51ce28c2e2d226365bc5315d3e5f83e) connects to the following C2:\r\nhXXp://webconncheck.myfw[.]us:8080/8xrss.php\r\nThe modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company\r\nLimited” with serial numbers, copied from real Tencent certificates:\r\n5d 06 88 f9 04 0a d5 22 87 fc 32 ad ec eb 85 b0\r\n71 70 bd 93 cf 3f 18 9a e6 45 2b 51 4c 49 34 0e\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 6 of 8\n\nInvalid digital signature on malware samples\r\nThe malware deployed in this attack is extremely rare and apparently reserved only for high profile victims. Our\r\nproducts detect it as well as other malware from ScarCruft as HEUR:Trojan.Win32.ScarCruft.gen.\r\nVictims:\r\nAlthough our visibility is rather limited, some of the victims of these attacks include:\r\nA law enforcement agency in an Asian country\r\nOne of the largest trading companies in Asia and in the world\r\nA mobile advertising and app monetization company in the USA\r\nIndividuals related to the International Association of Athletics Federations\r\nA restaurant located in one of the top malls in Dubai\r\nSome of these were compromised over the last few days, indicating the attackers are still very active.\r\nConclusions:\r\nNowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be\r\ncoupled with a Sandbox bypass exploit, which makes them rather tricky.\r\nAdditionally, Adobe has been doing a great job at implementing new mitigations to make exploitation of Flash\r\nPlayer more and more difficult.\r\nNevertheless, resourceful threat actors such as ScarCruft will probably continue to deploy zero-day exploits\r\nagainst their high profile targets.\r\nAs usual, the best defense against targeted attacks is a multi-layered approach. Windows users should combine\r\ntraditional anti-malware technologies with patch management, host intrusion detection and, ideally, allowlisting\r\nand default-deny strategies. According to a study by the Australian DSD, 85% of the targeted attacks analysed\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 7 of 8\n\ncould have been stopped by four simple defense strategies. While it’s impossible to achieve 100% protection, in\r\npractice and most cases all you have to do is increase your defenses to the point where it becomes too expensive\r\nfor the attacker – who will just give up and move on to other targets.\r\nKaspersky products detect flash exploit as HEUR:Exploit.SWF.Agent.gen also our AEP (Automatic Exploit\r\nPrevention) component can successfully detect this attack. Payloads are detected with\r\nHEUR:Trojan.Win32.ScarCruft.gen verdict.\r\n* More information about the ScarCruft APT group is available to customers of Kaspersky Intelligent Services.\r\nIndicators of compromise:\r\nMalicious IPs and hostnames:\r\n212.7.217[.]10\r\nreg.flnet[.]org\r\nwebconncheck.myfw[.]us\r\nMD5s:\r\n3e5ac6bbf108feec97e1cc36560ab0b6\r\na6f14b547d9a7190a1f9f1c06f906063\r\ne51ce28c2e2d226365bc5315d3e5f83e\r\n067681b79756156ba26c12bc36bf835c\r\nf8a2d4ddf9dc2de750c8b4b7ee45ba3f\r\n8844a537e7f533192ca8e81886e70fbc\r\nSource: https://securelist.com/operation-daybreak/75100/\r\nhttps://securelist.com/operation-daybreak/75100/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/operation-daybreak/75100/" ], "report_names": [ "75100" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775826691, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6f790c7284e57100b6ba5d19f0e034f9d92126e.pdf", "text": "https://archive.orkl.eu/c6f790c7284e57100b6ba5d19f0e034f9d92126e.txt", "img": "https://archive.orkl.eu/c6f790c7284e57100b6ba5d19f0e034f9d92126e.jpg" } }