{
	"id": "46cdedbb-8719-4468-b07c-58764686c6c2",
	"created_at": "2026-04-06T00:22:02.464252Z",
	"updated_at": "2026-04-10T03:30:30.802305Z",
	"deleted_at": null,
	"sha1_hash": "e28568c0f4ef6817ce75f88ca98de719f745eb2e",
	"title": "Timeline of Sandworm Attacks | Security Intelligence Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 930522,
	"plain_text": "Timeline of Sandworm Attacks | Security Intelligence Blog\r\nBy William Gamazo Sanchez (Vulnerability Research)\r\nArchived: 2026-04-05 14:07:32 UTC\r\nThe Sandworm vulnerability, also known as CVE-2014-4114, is an interesting vulnerability for two reasons. For\r\none, it is related to the timing of the vulnerability life cycle.  In this blog post, we will tackle vulnerability\r\nanalysis, and user awareness on what actions to take when they are under attack.  Note that all dates and times\r\ndiscussed here are based on publicly available information and in the internal metadata of the sample files. Here’s\r\na timeline:\r\nClick image to enlarge\r\n*1: New CVE-2014-4114 Attacks Seen One Week After Fix\r\n*2: https://technet.microsoft.com/library/security/3010060\r\n*3: https://support.microsoft.com/kb/3010060\r\n*4: https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-281-01A\r\nCVE-2014-4114 is also related to the OLE design by itself. We can classify it as a Command Injection in the OLE\r\ninfrastructure. This area is sufficiently complex and its hard to evaluate the scope of the attack surface; this caused\r\nthe release of an incomplete fix and the release of CVE-2014-6352. This is because an attacker can control two\r\nhttps://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/\r\nPage 1 of 7\n\nexternal variables to invoke different paths inside the affected component package.dll. The variables are: OLE\r\nVerbs and Embedded File Type.\r\nVulnerability time cycle\r\nLooking at the timelines is always helpful to understand and correlate major events. Sandworm became known to\r\nthe public when iSIGHT released a blog entry on October 14 discussing the vulnerability and how it was being\r\nused in targeted attacks. It was fixed on the same day as part of the scheduled Patch Tuesday release, in MS14-\r\n060. A week later, on October 21, it was disclosed that under certain circumstances the patch could be bypassed,\r\nresulting in Microsoft Security Advisory 3010060 and published workarounds.\r\nWhat was in the patches? We found that they contained a new version of the file packager.dll. The following\r\nimage shows the Windows properties of the file:\r\nFigure 1. Package.dll updated version (6.3.9600.17341) Windows file properties\r\nThis file was created on September 13 – which is reasonable, since iSIGHT first spotted this attack on September\r\n3. Other security vendors indicate they reported this flaw to Microsoft on September 2.\r\nThe email campaign of Sandworm (or BlackEnergy) that targeted this vulnerability took place from August 13\r\nonwards, as reported in various articles. These emails used a PPSX attachment with two embedded files. These\r\nembedded files contain an internal property informing the modification and created time.  The following image\r\nshows this property:\r\nhttps://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/\r\nPage 2 of 7\n\nFigure 2. OLE Compound tree structure.  Here we can see the ModifyTime is highlighted.\r\nA known file (SHA256 hash: 70b8d220469c8071029795d32ea91829f683e3fbbaa8b978a31a0974daee8aaf) used\r\nin this campaign is detected by Trend Micro as TROJ_MDLOAD.PGTY. The embedded files oleObject1 and\r\nOleObject2 have the modified date/time of 8/7/2014 1:15:59 PM.  Following the timeline until here, this would\r\nseem like a valid and logical date.  On October 16, 2014, Trend Micro reported that the same type of attack is\r\nbeing used to exploit SCADA systems.  The said attack employed the same technique – Command Injection in the\r\nOLE infrastructure – and used the same file origin. In this case two OLE files were used: devlist.cim and\r\nconfig.bak. Both files were created on 10/4/2013.\r\nThere are several samples in VirusTotal related to this campaign. Some of these samples are directly related to the\r\nattacks, while others are simple modification to the attacks done by analysts. Extracting the attack IPs from all the\r\nsamples we can get the following list:\r\n\\\\10[.]0[.]0[.]34\\public\\slide1.gif\r\n\\\\10[.]0[.]0[.]34\\public\\slide1.inf\r\n\\\\10[.]0[.]0[.]27\\share\\xxx.inf\r\n\\\\10[.]0[.]0[.]27\\share\\xxx.gif\r\n\\\\10[.]80[.]65[.]87\\impct\\losslides.gif\r\n\\\\216[.]66[.]74[.]22\\/root/smb4k/teamths\\ths.inf\r\n\\\\216[.]66[.]74[.]22\\/root/smb4k/teamths\\ths.gif\r\n\\\\210[.]209[.]86[.]152\\p\\z\\slides.inf\r\n\\\\210[.]209[.]86[.]152\\p\\z\\slides.gif\r\n\\\\185[.]29[.]8[.]212\\share\\sliiides.inf\r\n\\\\185[.]29[.]8[.]212\\share\\sliiides.exe\r\n\\\\121[.]166[.]55[.]120\\file\\lint.inf\r\nhttps://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/\r\nPage 3 of 7\n\n\\\\121[.]166[.]55[.]120\\file\\head.gif\r\n\\\\121[.]166[.]55[.]12\\file\\head.gif\r\n\\\\192[.]168[.]10[.]10\\shared\\msf\\XrHI.inf\r\n\\\\192[.]168[.]10[.]10\\shared\\msf\\XrHI.inf\r\n\\\\192[.]168[.]10[.]10\\shared\\msf\\TBSZ.gif\r\n\\\\192[.]168[.]1[.]122\\Support\\xxx.gif\r\n\\\\192[.]168[.]1[.]11\\share\\xxx.inf\r\n\\\\192[.]168[.]1[.]11\\share\\xxx.gif\r\n\\\\192[.]168[.]187[.]147\\xpl\\calc.gif\r\n\\\\192[.]168[.]15[.]4\\rdb\\blah.gif\r\n\\\\192[.]168[.]58[.]95\\rdb\\test.gif\r\n\\\\192[.]168[.]58[.]95\\rdb\\test.inf\r\n\\\\192[.]157[.]198[.]1\\public\\word.gif\r\n\\\\118[.]99[.]13[.]236\\docs\\partyhis.gif\r\n\\\\37[.]59[.]5[.]18\\11\\test.gif\r\n\\\\109[.]163[.]233[.]151\\public\\aaaa.gif\r\n\\\\109[.]163[.]233[.]151\\public\\aaaa.inf\r\n\\\\94[.]185[.]85[.]122\\public\\slide1.inf (This is from the sample mentioned before)\r\n\\\\94[.]185[.]85[.]122\\public\\slide1.gif (This is from the sample mentioned before)\r\n\\\\94[.]185[.]85[.]122\\public\\default.txt (This is the sample attacking SCADA Systems)\r\nFirst patch and second attack\r\nIn this blog post  we analyzed how the attacker can control the OLE Verb to execute the file once the PPSX is run.\r\nHowever, another interesting part of the attack is how the attacker control the file type to bypass the Mark on the\r\nWeb (MOTW) and avoid the alert message in Windows showing the file as untrusted.  The user can control the\r\nfile type using the CLSID in the OLE compound document.  The said property is under /Root Entry of the\r\nembedded object. The following image shows one example. In this case, the embedded type is 0x22602.\r\nhttps://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/\r\nPage 4 of 7\n\nFigure 3. OLE RootEntry property CLSID. The first value is the embedded type(0x22602).\r\nWhen package.dll is processing embedded files, the actual operation or extraction of the file depends on the file\r\ntype. There are several type of files. The following image shows a big picture on how this works.\r\nFigure 4. Call paths inside package.dll.\r\nThe attack for CVE-2014-4114 used 0x22602 as file type. This allows the attacker to bypass the MOTW\r\nprotection. The OLE infrastructure will call CPackage::Load for each embedded file included in the PPSX file.\r\nThis method calls ReadClassStg to get the embedded file type, which is 0x22602 in both cases. This type is\r\nMPlayer. Next, CPackage::Load will call LoadMMSStorage. The method LoadMMSStorage calls\r\nOLE2MPlayerReadFromStream or OLE1SoundReadFromStream depending on the OLE file type returned by\r\nReadClassStg, which is MPlayer in this case.\r\nThe problem is that methods call to CopyFileW or CopyStreamToFile both will result in creating the temporary\r\nfile without MOTW. This is because the first patch from Microsoft changed the “XXReadFromStream” methods\r\nto call MarkFileUnsave. After the first patch the protection looks like the following screenshot:\r\nhttps://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/\r\nPage 5 of 7\n\nFigure 5. Protection using MOTW after patch.\r\nNote that the automatic execution using specific OLE Verb was not patched. The patch only added MOTW\r\nprotection for these methods.\r\nFor the attack related to CVE-2014-6352, the protection MOTW is not bypassed, as seen in the image before, but\r\nthe execution will take place showing the following message to the user:\r\nFigure 6. . Pop-up message alerting the user when the file is protected with MOTW.\r\nThe MOTW protection will create one NTFS stream to the created file that Windows will use to check to launch\r\nthe warning message. The created NTFS stream is seen in the following image:\r\nhttps://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/\r\nPage 6 of 7\n\nFigure 7. NTFS stream of a file with MOTW activated.\r\nConclusion\r\nThe attack technique for Command Injection in the OLE Infrastructure has been around since at least October\r\n2013. If the attack happens in a system where the patch MS14-060 has been applied, the user will see the warning\r\nmessage shown in Figure 6.\r\nTrend Micro secures users from this threat via detecting the exploit and malware payload via the Smart Protection\r\nNetwork.  Trend Micro Deep Security and Office Scan with the Intrusion Defense Firewall (IDF) plugin protect\r\nuser systems from threats that may leverage this vulnerability via the following DPI rules:\r\n1006290 – Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114)\r\n1006291  Microsoft Windows OLE Remote Code Execution Vulnerability (CVE-2014-4114) – 1\r\nUsers are strongly advised to patch their systems once Microsoft releases their security update for this. In addition,\r\nit is recommended for users and employees not to open PowerPoint files from unknown sources as this may\r\npossibly lead to a series of malware infection.\r\nWith additional insights from Pawan Kinger\r\nThis entry was posted on Monday, November 10th, 2014 at 1:12 pm and is filed under Exploits . You can leave a response, or trackback\r\nfrom your own site.\r\nSource: https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attack\r\ns/\r\nhttps://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/"
	],
	"report_names": [
		"timeline-of-sandworm-attacks"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434922,
	"ts_updated_at": 1775791830,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e28568c0f4ef6817ce75f88ca98de719f745eb2e.pdf",
		"text": "https://archive.orkl.eu/e28568c0f4ef6817ce75f88ca98de719f745eb2e.txt",
		"img": "https://archive.orkl.eu/e28568c0f4ef6817ce75f88ca98de719f745eb2e.jpg"
	}
}