{
	"id": "2c8159bb-c4d7-4bd8-add9-c75202036e2c",
	"created_at": "2026-04-06T00:19:52.105274Z",
	"updated_at": "2026-04-10T03:24:47.063732Z",
	"deleted_at": null,
	"sha1_hash": "f9977a1b43af34af32ab5dc6053f521b58f99816",
	"title": "Windows zero-day exploit used in targeted attacks by FruityArmor APT",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 607911,
	"plain_text": "Windows zero-day exploit used in targeted attacks by FruityArmor\r\nAPT\r\nBy Anton Ivanov\r\nPublished: 2016-10-20 · Archived: 2026-04-05 14:31:39 UTC\r\nA few days ago, Microsoft published the “critical” MS16-120 security bulletin with fixes for vulnerabilities in\r\nMicrosoft Windows, Microsoft Office, Skype for Business, Silverlight and Microsoft Lync.\r\nOne of the vulnerabilities – CVE-2016-3393 – was reported to Microsoft by Kaspersky Lab in September 2016.\r\nHere’s a bit of background on how this zero-day was discovered. A few of months ago, we deployed a new set of\r\ntechnologies in our products to identify and block zero-day attacks. These technologies proved their effectiveness\r\nearlier this year, when we discovered two Adobe Flash zero-day exploits – CVE-2016-1010 and CVE-2016-4171.\r\nTwo Windows EoP exploits have also been found with the help of this technology. One is CVE-2016-0165. The\r\nother is CVE-2016-3393.\r\nLike most zero-day exploits found in the wild today, CVE-2016-3393 is used by an APT group we call\r\nFruityArmor. FruityArmor is perhaps a bit unusual due to the fact that it leverages an attack platform that is built\r\nentirely around PowerShell. The group’s primary malware implant is written in PowerShell and all commands\r\nfrom the operators are also sent in the form of PowerShell scripts.\r\nIn this report we describe the vulnerability that was used by this group to elevate privileges on a victim’s machine.\r\nPlease keep in mind that we will not be publishing all the details about this vulnerability because of the risk that\r\nother threat actors may use them in their attacks.\r\nAttack chain description\r\nTo achieve remote code execution on a victim’s machine, FruityArmor normally relies on a browser exploit. Since\r\nmany modern browsers are built around sandboxes, a single exploit is generally not sufficient to allow full access\r\nto a targeted machine. Most of the recent attacks we’ve seen that rely on a browser exploit are combined with an\r\nEoP exploit, which allows for a reliable sandbox escape.\r\nhttps://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/\r\nPage 1 of 6\n\nIn the case of FruityArmor, the initial browser exploitation is always followed by an EoP exploit. This comes in\r\nthe form of a module, which runs directly in memory. The main goal of this module is to unpack a specially\r\ncrafted TTF font containing the CVE-2016-3393 exploit. After unpacking, the module directly loads the code\r\nexploit from memory with the help of AddFontMemResourceEx. After successfully leveraging CVE-2016-3393, a\r\nsecond stage payload is executed with higher privileges to execute PowerShell with a meterpreter-style script that\r\nconnects to the C\u0026C.\r\nEOP zero-day details\r\nThe vulnerability is located in the cjComputeGLYPHSET_MSFT_GENERAL function from the Win32k.sys\r\nsystem module. This function parses the cmap table and fills internal structures. The CMAP structure looks like\r\nthis:\r\nThe most interesting parts of this structure are two arrays – endCount and startCount. The exploit contains the\r\nnext cmap table with segments:\r\nhttps://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/\r\nPage 2 of 6\n\nTo compute how much memory to allocate to internal structures, the function executes this code:\r\nAfter computing this number, the function allocates memory for structures in the following way:\r\nThe problem is that if we compute the entire table, we will achieve an integer overflow and the cnt variable will\r\ncontain an incorrect value.\r\nhttps://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/\r\nPage 3 of 6\n\nIn kernel, we see the following picture:\r\nThe code allocates memory only for 0x18 InternalStruct but then there is a loop for all the segments range (this\r\nvalue was extracted from the file directly):\r\nUsing the cmap table, the v44 variable (index) could be controlled and, as a result, we get memory corruption. To\r\nachieve it, the attacker can do the following:\r\n1. 1 Make an integer overflow in win32k!cjComputeGLYPHSET_MSFT_GENERAL\r\n2. 2 Make a specific segment ranges in font file to access interesting memory.\r\nhttps://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/\r\nPage 4 of 6\n\nWhat about Windows 10? As most of you know, the font processing in Windows 10 is performed in a special user\r\nmode process with restricted privileges. This is a very good solution but the code has the same bug in the TTF\r\nprocessing.\r\nAs a result, if you load/open this font exploit in Windows 10, you will see the crash of fontdrvhost.exe:\r\nKaspersky Lab detects this exploit as:\r\nHEUR:Exploit.Win32.Generic\r\nPDM:Exploit.Win32.Generic\r\nWe would like to thank Microsoft for their swift response in closing this security hole.\r\n* More information about the FruityArmor APT group is available to customers of Kaspersky Intelligence\r\nServices. Contact: intelreports@kaspersky.com\r\nhttps://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/\r\nPage 5 of 6\n\nSource: https://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/\r\nhttps://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/windows-zero-day-exploit-used-in-targeted-attacks-by-fruityarmor-apt/76396/"
	],
	"report_names": [
		"76396"
	],
	"threat_actors": [
		{
			"id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a",
			"created_at": "2022-10-25T16:07:24.228663Z",
			"updated_at": "2026-04-10T02:00:04.905195Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038",
				"Project Raven",
				"Stealth Falcon"
			],
			"source_name": "ETDA:Stealth Falcon",
			"tools": [
				"Deadglyph",
				"StealthFalcon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77aedfa3-e52b-4168-8269-55ccec0946f7",
			"created_at": "2023-01-06T13:46:38.453791Z",
			"updated_at": "2026-04-10T02:00:02.981559Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038"
			],
			"source_name": "MISPGALAXY:Stealth Falcon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434792,
	"ts_updated_at": 1775791487,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f9977a1b43af34af32ab5dc6053f521b58f99816.pdf",
		"text": "https://archive.orkl.eu/f9977a1b43af34af32ab5dc6053f521b58f99816.txt",
		"img": "https://archive.orkl.eu/f9977a1b43af34af32ab5dc6053f521b58f99816.jpg"
	}
}