{
	"id": "4c2e6b52-fc2a-4afc-aaaa-20f7c19e7701",
	"created_at": "2026-04-06T00:17:07.577087Z",
	"updated_at": "2026-04-10T13:13:09.513841Z",
	"deleted_at": null,
	"sha1_hash": "fe364b5d1d9748d0cd20a4dda238a5e9cb123472",
	"title": "Windows MSDT zero-day now exploited by Chinese APT hackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2623818,
	"plain_text": "Windows MSDT zero-day now exploited by Chinese APT hackers\r\nBy Sergiu Gatlan\r\nPublished: 2022-05-31 · Archived: 2026-04-05 18:00:43 UTC\r\nChinese-linked threat actors are now actively exploiting a Microsoft Office zero-day vulnerability (known as 'Follina') to\r\nexecute malicious code remotely on Windows systems.\r\nDescribed by Microsoft as a remote code execution flaw in the Microsoft Windows Support Diagnostic Tool (MSDT) and\r\ntracked as CVE-2022-30190, it impacts all Windows client and server platforms still receiving security updates (Windows 7\r\nor later and Windows Server 2008 or later).\r\nShadow Chaser Group's crazyman, the researcher who first reported the zero-day in April, said Microsoft initially tagged the\r\nflaw as not a \"security-related issue,\" however, it later closed the vulnerability submission report with a remote code\r\nexecution impact.\r\nhttps://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nActively exploited in the wild\r\nThe TA413 APT group, a hacking outfit linked to Chinese state interests, has adopted this vulnerability in attacks against\r\ntheir favorite target, the international Tibetan community.\r\nAs observed on May 30 by Proofpoint security researchers, they're now using CVE-2022-30190 exploits to execute\r\nmalicious code via the MSDT protocol when targets open or preview Word documents delivered in ZIP archives.\r\nTA413 malicious Word document (Proofpoint)\r\n\"TA413 CN APT spotted ITW exploiting the Follina 0Day using URLs to deliver Zip Archives which contain Word\r\nDocuments that use the technique,\" enterprise security firm Proofpoint revealed today.\r\n\"Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app.\"\r\nSecurity researcher MalwareHunterTeam also spotted DOCX documents with Chinese filenames being used to install\r\nmalicious payloads detected as password-stealing trojans via http://coolrat[.]xyz.\r\nImage: BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/\r\nPage 3 of 4\n\nMitigation available\r\n\"An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling\r\napplication,\" as Microsoft explained in new guidance issued today to provide admins with mitigation measures.\r\n\"The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the\r\nuser's rights.\"\r\nYou can block attacks exploiting CVE-2022-30190 by disabling the MSDT URL protocol malicious actors abuse to launch\r\ntroubleshooters and execute code on vulnerable systems.\r\nYou are also advised to disable the Preview pane in Windows Explorer since this is another attack vector exploitable when\r\ntargets preview the malicious documents.\r\nToday, CISA also urged admins and users to disable the MSDT protocol on their Windows devices after Microsoft reported\r\nactive exploitation of this vulnerability in the wild.\r\nThe first CVE-2022-30190 attacks were spotted over a month ago using sextortion threats and invitations to Sputnik Radio\r\ninterviews as lures.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/\r\nhttps://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers/"
	],
	"report_names": [
		"windows-msdt-zero-day-now-exploited-by-chinese-apt-hackers"
	],
	"threat_actors": [
		{
			"id": "3b1367ff-99dc-41f0-986f-4a1dcb41bbbf",
			"created_at": "2022-10-25T16:07:24.273478Z",
			"updated_at": "2026-04-10T02:00:04.918037Z",
			"deleted_at": null,
			"main_name": "TA413",
			"aliases": [
				"White Dev 9"
			],
			"source_name": "ETDA:TA413",
			"tools": [
				"Exile RAT",
				"ExileRAT",
				"Sepulcher"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9792e41f-4165-474b-99fa-e74ec332bd87",
			"created_at": "2023-01-06T13:46:38.986789Z",
			"updated_at": "2026-04-10T02:00:03.172308Z",
			"deleted_at": null,
			"main_name": "Lucky Cat",
			"aliases": [
				"TA413",
				"White Dev 9"
			],
			"source_name": "MISPGALAXY:Lucky Cat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "86182dd7-646c-49c5-91a6-4b62fd2119a7",
			"created_at": "2025-08-07T02:03:24.617638Z",
			"updated_at": "2026-04-10T02:00:03.738499Z",
			"deleted_at": null,
			"main_name": "BRONZE HOBART",
			"aliases": [
				"APT23",
				"Earth Centaur ",
				"KeyBoy ",
				"Pirate Panda ",
				"Red Orthrus ",
				"TA413 ",
				"Tropic Trooper "
			],
			"source_name": "Secureworks:BRONZE HOBART",
			"tools": [
				"Crowdoor",
				"DSNGInstaller",
				"KeyBoy",
				"LOWZERO",
				"Mofu",
				"Pfine",
				"Sepulcher",
				"Xiangoop Loader",
				"Yahaoyah"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434627,
	"ts_updated_at": 1775826789,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fe364b5d1d9748d0cd20a4dda238a5e9cb123472.pdf",
		"text": "https://archive.orkl.eu/fe364b5d1d9748d0cd20a4dda238a5e9cb123472.txt",
		"img": "https://archive.orkl.eu/fe364b5d1d9748d0cd20a4dda238a5e9cb123472.jpg"
	}
}