{ "id": "a9c970fa-ccfa-4a19-aac6-9af10b5fb747", "created_at": "2026-04-06T00:12:17.33365Z", "updated_at": "2026-04-10T03:38:06.672012Z", "deleted_at": null, "sha1_hash": "dd13099c95db6170714f19ac626cc5f3411c9f8f", "title": "ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40268, "plain_text": "ScarCruft APT Group Used Latest Flash Zero Day in Two Dozen\r\nAttacks\r\nBy Michael Mimoso\r\nPublished: 2016-06-17 · Archived: 2026-04-05 14:34:11 UTC\r\nThe ScarCruft APT gang has made use of a Flash zero day patched Thursday by Adobe to attack more than two\r\ndozen high-profile targets in Russia and Asia primarily.\r\nAdobe on Thursday patched a zero-day vulnerability in Flash Player that has been used in targeted attacks carried\r\nout by a new APT group operating primarily against high-profile victims in Russia and Asia.\r\nResearchers at Kaspersky Lab privately disclosed the flaw to Adobe after exploits against the zero-day were used\r\nin March by the ScarCruft APT gang in what Kaspersky Lab is calling Operation Daybreak.\r\nResearchers said the group has a number of operations under way and that it has two Flash exploits and another\r\nagainst Microsoft’s Internet Explorer at its disposal. Kaspersky speculates that this group could also be behind\r\nanother zero-day, CVE-2016-0147, a vulnerability in Microsoft XML Core Services that was patched in April.\r\nIn a report from Kaspersky Lab, researchers said the vulnerability is in Flash code that parses ExecPolicy\r\nmetadata. ScarCruft’s exploit implements read/write operations at a particular address in memory that can allow\r\nfor full remote code execution. Full details are explained in the Kaspersky Lab report published today.\r\nThe attack happens in stages starting with shellcode downloading and executing a malicious DLL that loads in\r\nFlash and also includes a technique designed to bypass antivirus detection using the Windows DDE component, or\r\nDynamic Data Exchange, a protocol that facilitates data transfers between applications.\r\nKaspersky researchers said this part of the attack makes “clever” use of Windows DDE.\r\n“The main idea here is that if you create a LNK to an executable or command, then use the ShowGroup method,\r\nthe program will be executed,” Kaspersky Lab said in its report. “This is an undocumented behavior in Microsoft\r\nWindows.”\r\nKaspersky’s research indicates there have been more than two dozen Operation Daybreak victims to date,\r\nincluding an Asian law enforcement agency, a large Asian trading company, an American mobile advertising\r\ncompany and individuals affiliated with the International Association of Athletics Federations (IAAF), some of\r\nwhich were compromised in the past few days.\r\nAttacks start with spear-phishing emails that include a link to a website hosting an exploit kit associated with\r\nScarCruft and used in other attacks. The exploit kit eventually redirects victims’ browsers to a server in Poland\r\ncontrolled by the attackers.\r\nhttps://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/\r\nPage 1 of 2\n\n“The ScarCruft APT group is a relatively new player and managed to stay under the radar for some time,”\r\nresearchers wrote. “In general, their work is very professional and focused. Their tools and techniques are well\r\nabove the average.”\r\nAnother set of attacks called Operation Erebus leverages another Flash exploit, CVE-2016-4117, and relies on\r\nwatering hole attacks as a means of propagation. Watering hole attacks involved compromising a site frequented\r\nby the target and serving exploits to site visitors that redirects to malware, often spy tools.\r\nAdobe has implemented a number of mitigations in Flash that defend against memory-based attacks in particular\r\nthat also make zero days incrementally difficult. While Adobe and outside researchers continue to find and patch\r\ncritical issues in Flash Player, publicly attacks against unknown Flash flaws are much less frequent.\r\n“Nowadays, in-the-wild Flash Player exploits are becoming rare. This is because in most cases they need to be\r\ncoupled with a Sandbox bypass exploit, which makes them rather tricky. Additionally, Adobe has been doing a\r\ngreat job at implementing new mitigations to make exploitation of Flash Player more and more difficult,”\r\nKaspersky researchers wrote. “Nevertheless, resourceful threat actors such as ScarCruft will probably continue to\r\ndeploy zero-day exploits against their high profile targets.”\r\nGoogle Project Zero team researcher Natalie Silvanovich said that efforts by Adobe to introduce new exploit\r\nmitigations into the Flash Player code base have slowed down exploit development and made it more difficult for\r\nresearchers looking for bugs.\r\nDuring the Infiltrate Conference in Miami in April, Silvanovich said during a presentation that, for example, use-after-free bugs are more difficult to exploit and that other classes of vulnerabilities such as redefinition bugs may\r\nbe going away. She added that information garnered from the Hacking Team data breach last summer was also\r\nimportant to her work. “The Hacking Team dump was an unprecedented source of information on how Flash\r\nexploits work in the wild,” she said during her talk.\r\nThursday’s Flash Player update patched 36 vulnerabilities in total including the zero day CVE-2016-4171.\r\nDesktop versions 21.0.0.242 and earlier on Windows and Mac machines are affected and users should upgrade\r\nto 22.0.0.192.\r\nThe majority of the vulnerabilities patched today are memory corruption flaws. The update also takes care of type-confusion, use-after-free, buffer overflow and directory search path vulnerabilities as well a same-origin policy\r\nbypass flaw that exposes machines to information disclosure attacks.\r\nSource: https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/\r\nhttps://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/" ], "report_names": [ "118642" ], "threat_actors": [ { "id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e", "created_at": "2025-08-07T02:03:25.082908Z", "updated_at": "2026-04-10T02:00:03.744649Z", "deleted_at": null, "main_name": "NICKEL FOXCROFT", "aliases": [ "APT37 ", "ATK4 ", "Group 123 ", "InkySquid ", "Moldy Pisces ", "Operation Daybreak ", "Operaton Erebus ", "RICOCHET CHOLLIMA ", "Reaper ", "ScarCruft ", "TA-RedAnt ", "Venus 121 " ], "source_name": "Secureworks:NICKEL FOXCROFT", "tools": [ "Bluelight", "Chinotto", "GOLDBACKDOOR", "KevDroid", "KoSpy", "PoorWeb", "ROKRAT", "final1stpy" ], "source_id": "Secureworks", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbe36874-34b7-4bfb-b38b-84a00b07042e", "created_at": "2022-10-25T15:50:23.375277Z", "updated_at": "2026-04-10T02:00:05.327922Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "APT37", "InkySquid", "ScarCruft", "Group123", "TEMP.Reaper", "Ricochet Chollima" ], "source_name": "MITRE:APT37", "tools": [ "BLUELIGHT", "CORALDECK", "KARAE", "SLOWDRIFT", "ROKRAT", "SHUTTERSPEED", "POORAIM", "HAPPYWORK", "Final1stspy", "Cobalt Strike", "NavRAT", "DOGCALL", "WINERACK" ], "source_id": "MITRE", "reports": null }, { "id": "552ff939-52c3-421b-b6c9-749cbc21a794", "created_at": "2023-01-06T13:46:38.742547Z", "updated_at": "2026-04-10T02:00:03.08515Z", "deleted_at": null, "main_name": "APT37", "aliases": [ "Operation Daybreak", "Red Eyes", "ScarCruft", "G0067", "Group123", "Reaper Group", "Ricochet Chollima", "ATK4", "APT 37", "Operation Erebus", "Moldy Pisces", "APT-C-28", "Group 123", "InkySquid", "Venus 121" ], "source_name": "MISPGALAXY:APT37", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c0cedde3-5a9b-430f-9b77-e6568307205e", "created_at": "2022-10-25T16:07:23.528994Z", "updated_at": "2026-04-10T02:00:04.642473Z", "deleted_at": null, "main_name": "DarkHotel", "aliases": [ "APT-C-06", "ATK 52", "CTG-1948", "Dubnium", "Fallout Team", "G0012", "G0126", "Higaisa", "Luder", "Operation DarkHotel", "Operation Daybreak", "Operation Inexsmar", "Operation PowerFall", "Operation The Gh0st Remains the Same", "Purple Pygmy", "SIG25", "Shadow Crane", "T-APT-02", "TieOnJoe", "Tungsten Bridge", "Zigzag Hail" ], "source_name": "ETDA:DarkHotel", "tools": [ "Asruex", "DarkHotel", "DmaUp3.exe", "GreezeBackdoor", "Karba", "Nemain", "Nemim", "Ramsay", "Retro", "Tapaoux", "Trojan.Win32.Karba.e", "Virus.Win32.Pioneer.dx", "igfxext.exe", "msieckc.exe" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434337, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dd13099c95db6170714f19ac626cc5f3411c9f8f.pdf", "text": "https://archive.orkl.eu/dd13099c95db6170714f19ac626cc5f3411c9f8f.txt", "img": "https://archive.orkl.eu/dd13099c95db6170714f19ac626cc5f3411c9f8f.jpg" } }