{
	"id": "ebc84d5d-6b03-47e3-bfed-f00489c1b96d",
	"created_at": "2026-04-06T00:10:40.05126Z",
	"updated_at": "2026-04-10T03:30:11.965474Z",
	"deleted_at": null,
	"sha1_hash": "d5aad129770ae66ce41b2d1ba56302f7ca273d82",
	"title": "ESET Research: Spy group exploits WPS Office zero day; analysis uncovers a second vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 43668,
	"plain_text": "ESET Research: Spy group exploits WPS Office zero day; analysis\r\nuncovers a second vulnerability\r\nBy Editor\r\nArchived: 2026-04-05 13:09:03 UTC\r\nSouth Korea-aligned advanced persistent threat group APT-C-60 weaponized a remote code execution\r\nvulnerability in WPS Office for Windows (CVE-2024-7262) in order to target East Asian countries. ESET\r\nResearch discovered the vulnerability and provides a root cause analysis, along with a description of its\r\nweaponization.\r\nA strange spreadsheet document referencing one of the group’s many downloader components pointed to\r\nAPT-C-60.\r\nThe exploit is deceptive enough to trick users into clicking on a legitimate-looking spreadsheet while also\r\nbeing very effective and reliable. The choice of the MHTML file format allowed the attackers to turn a\r\ncode execution vulnerability into a remote one.\r\nWhile analyzing the vulnerability, ESET Research discovered another way to exploit it (CVE-2024-7263).\r\nFollowing our coordinated vulnerability disclosure policy, as Kingsoft acknowledged and patched both\r\nvulnerabilities, we provide a detailed analysis.\r\nBRATISLAVA, MONTREAL — August 28, 2024 — ESET researchers discovered a remote code execution\r\nvulnerability in WPS Office for Windows (CVE-2024-7262). It was being exploited by APT-C-60, a South Korea-aligned cyberespionage group, to target East Asian countries. When examining the root cause, ESET discovered\r\nanother way to exploit the faulty code (CVE-2924-7263). Following a coordinated disclosure process, both\r\nvulnerabilities are now patched. The final payload in the APT-C-60 attack is a custom backdoor with\r\ncyberespionage capabilities that ESET Research internally named SpyGlace.\r\n“While investigating APT-C-60 activities, we found a strange spreadsheet document referencing one of the\r\ngroup’s many downloader components. The WPS Office software has over 500 million active users worldwide,\r\nwhich makes it a good target to reach a substantial number of individuals, particularly in the East Asia region,”\r\nsays ESET researcher Romain Dumont, who analyzed the vulnerabilities. During the coordinated vulnerability\r\ndisclosure process between ESET and the vendor, DBAPPSecurity independently published an analysis of the\r\nweaponized vulnerability and confirmed that APT-C-60 has exploited the vulnerability to deliver malware to users\r\nin China.\r\nThe malicious document comes as an MHTML export of the commonly used XLS spreadsheet format. However,\r\nit contains a specially crafted and hidden hyperlink designed to trigger the execution of an arbitrary library if\r\nclicked when using the WPS Spreadsheet application. The rather unconventional MHTML file format allows a file\r\nto be downloaded as soon as the document is opened; therefore, leveraging this technique while exploiting the\r\nvulnerability provides for remote code execution.\r\nhttps://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/\r\nPage 1 of 2\n\n“To exploit this vulnerability, an attacker would need to store a malicious library somewhere accessible by the\r\ntargeted computer either on the system or on a remote share, and know its file path in advance. The exploit\r\ndevelopers targeting this vulnerability knew a couple of tricks that helped them achieve this,” explains Dumont.\r\n“When opening the spreadsheet document with the WPS Spreadsheet application, the remote library is\r\nautomatically downloaded and stored on disk,” he adds.\r\nSince this is a one-click vulnerability, the exploit developers embedded a picture of the spreadsheet’s rows and\r\ncolumns inside to deceive and convince the user that the document is a regular spreadsheet. The malicious\r\nhyperlink was linked to the image so that clicking on a cell in the picture would trigger the exploit.\r\n“Whether the group developed or bought the exploit for CVE-2024-7262, it definitely required some research into\r\nthe internals of the application but also knowledge of how the Windows loading process behaves,” concludes\r\nDumont.\r\nAfter analyzing Kingsoft’s silently released patch, Dumont noticed that it had not properly corrected the flaw and\r\ndiscovered another way to exploit it due to an improper input validation. ESET Research reported both\r\nvulnerabilities to Kingsoft, who acknowledged and patched them. Two high severity CVE entries were created:\r\nCVE-2024-7262 and CVE-2024-7263.\r\nThe discovery underlines the importance of a careful patch verification process and making sure that the core\r\nissue has been addressed in full. ESET strongly advises WPS Office for Windows users to update their software to\r\nthe latest release.\r\nFor more technical information about the WPS Office vulnerabilities and exploits, check out the blog post\r\n“Analysis of two arbitrary code execution vulnerabilities affecting WPS Office” on WeLiveSecurity.com. Make\r\nsure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research.\r\nOverview of the exploit’s control flow\r\nAbout ESET\r\nESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of\r\nAI and human expertise, ESET stays ahead of known and emerging cyberthreats — securing businesses, critical\r\ninfrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first\r\nsolutions and services remain highly effective and easy to use. ESET technology includes robust detection and\r\nresponse, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local\r\nsupport, we keep users safe and businesses running without interruption. An ever-evolving digital landscape\r\ndemands a progressive approach to security: ESET is committed to world-class research and powerful threat\r\nintelligence, backed by R\u0026D centers and a strong global partner network. For more information, visit\r\nwww.eset.com or follow us on LinkedIn, Facebook, and X.\r\nSource: https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-unco\r\nvers-a-second-vulnerability/\r\nhttps://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.eset.com/int/about/newsroom/press-releases/research/eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability/"
	],
	"report_names": [
		"eset-research-spy-group-exploits-wps-office-zero-day-analysis-uncovers-a-second-vulnerability"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434240,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d5aad129770ae66ce41b2d1ba56302f7ca273d82.pdf",
		"text": "https://archive.orkl.eu/d5aad129770ae66ce41b2d1ba56302f7ca273d82.txt",
		"img": "https://archive.orkl.eu/d5aad129770ae66ce41b2d1ba56302f7ca273d82.jpg"
	}
}