Tag: CVE-2017-11882

16 Attack Reports | 0 Vulnerabilities

Attack reports

Operation FrostBeacon: Multi-Cluster Cobalt Strike Campaign Targets Russia

Operation FrostBeacon is a targeted malware campaign delivering Cobalt Strike beacons to companies in Russia. It uses two infection clusters: one leveraging malicious archive files with LNK shortcuts, and another exploiting CVE-2017-0199 and CVE-2017-11882 vulnerabilities. Both clusters lead to rem…
phishing
powershell
russia
cobalt strike
CVE-2017-0199
CVE-2017-11882
lnk files
hta
2025-12-08
Published: December 8, 2025
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 60

Tracking FileFix, Shadow Vector, and SideWinder

This intelligence report details collaborative research between Acronis Threat Research Unit and VirusTotal on three emerging cyber threats. FileFix, a variant of ClickFix, uses malicious websites to trick victims into running commands copied to their clipboard. Shadow Vector targets Colombian user…
yara
CVE-2017-0199
CVE-2017-11882
virustotal
clickfix
south asia
svg
colombia
filefix
2025-11-10
clipboard manipulation
shadow vector
document-based attacks
Published: November 10, 2025
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 16

August 2025 Trends Report on Phishing Emails

The analysis reveals that phishing was the predominant threat in email attachments during August 2025, accounting for 63% of cases. Threat actors employed HTML scripts to replicate legitimate login pages and promotional content, aiming to capture user credentials. The report highlights an increase …
malware
phishing
purecrypter
CVE-2017-11882
email attachments
2025-09-16
fakepage
script attachments
korean language
Published: September 16, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 4

CVE-2017-11882 Will Never Die

The report discusses the persistent exploitation of CVE-2017-11882, a remote code execution vulnerability affecting Microsoft Office's Equation Editor. Despite being an old vulnerability, it continues to be used by attackers to spread modern malware. The analysis focuses on a malicious Excel file t…
obfuscation
exploit
CVE-2017-11882
keylogger
microsoft office
vipkeylogger
2025-08-13
equation editor
Published: August 13, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 6

XLoader Info-stealer Distributed Using MS Equation Editor Vulnerability (CVE-2017-11882)

An analysis reveals the distribution of XLoader info-stealer through phishing emails exploiting the MS Equation Editor vulnerability (CVE-2017-11882). The attack begins with a DOCX file containing an RTF document that creates a VBE file in a temporary folder. This VBE file, built using HorusProtect…
phishing
CVE-2017-11882
xloader
info-stealer
2025-05-01
rtf
vbe
ms equation editor
regasm.exe
horusprotector
Published: May 1, 2025
Downloadable IOCs: 0

FormBook Malware Distributed via Horus Protector Using Word Docs

Forcepoint X-Labs researchers have identified a phishing campaign where attackers distribute the FormBook information-stealing malware using Horus Protector, a malware distribution service designed to evade detection. The campaign employs malicious Microsoft Word documents that exploit the CVE-2017…
phishing
formbook
CVE-2017-11882
2025-04-29
maldoc
horus
Published: April 29, 2025
Downloadable IOCs: 101

APT Group Profiles - Larva-24005

A new operation named Larva-24005, linked to the Kimsuky group, has been discovered by ASEC. The threat actors exploited RDP vulnerabilities to infiltrate systems, installing MySpy malware and RDPWrap for continuous remote access. They also deployed keyloggers to record user inputs. The group has b…
apt
phishing
kimsuky
south korea
CVE-2017-11882
keylogger
CVE-2019-0708
japan
2025-04-22
randomquery
rdp exploitation
bluekeep
myspy
kimalogger
Published: April 22, 2025
Downloadable IOCs: 0

Infostealer Malware FormBook Spread via Phishing Campaign – Part I

A phishing campaign delivering a malicious Word document exploiting CVE-2017-11882 was observed spreading a new FormBook variant. The campaign tricks recipients into opening an attached document, which extracts a 64-bit DLL file and exploits the vulnerability to execute it. The DLL acts as a downlo…
phishing
infostealer
formbook
CVE-2017-11882
process hollowing
2025-04-22
fileless malware
microsoft equation editor
Published: April 22, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 7

SideWinder targets the maritime and nuclear sectors with an updated toolset

The SideWinder APT group intensified its activities in the second half of 2024, targeting maritime infrastructures, logistics companies, and nuclear sectors across Asia, the Middle East, and Africa. The group updated its toolset, including improvements to its RTF exploit, JavaScript loader, and Bac…
apt
javascript
africa
CVE-2017-11882
maritime
spear-phishing
south asia
stealerbot
rtf exploit
nuclear
2025-03-10
downloader module
backdoor loader
module installer
Published: March 10, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 38

VIPKeyLogger Infostealer in the Wild

A new infostealer called VIPKeyLogger has been observed with increased activity. It shares similarities with Snake Keylogger and is distributed through phishing campaigns. The malware is delivered as an archive or Microsoft 365 file attachment, which downloads and executes a .NET compiled file. VIP…
infostealer
CVE-2017-11882
keylogger
snake keylogger
2024-12-16
vipkeylogger
Published: December 16, 2024
Downloadable IOCs: 0

SmokeLoader picks up ancient MS Office bugs to pack fresh credential stealer

Threat actors are exploiting old Microsoft Office vulnerabilities using SmokeLoader, a modular malware loader, to steal browser credentials. The campaign targets manufacturing, healthcare, and IT companies in Taiwan, utilizing CVE-2017-0199 and CVE-2017-11882 to execute remote code and deploy malic…
phishing
plugins
credential theft
smokeloader
CVE-2017-0199
CVE-2017-11882
taiwan
modular malware
2024-12-03
microsoft office
vulnerabilities
andeloader
Published: December 3, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 28

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 158

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 74

SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea

BlackBerry's researchers have uncovered a new campaign by the nation-state threat actor SideWinder. The group employs sophisticated techniques, such as utilizing carefully crafted phishing emails with visual lures designed to target specific organizations. The campaign aims to compromise ports and …
espionage
phishing
vulnerability
nation-state
javascript
targeted
CVE-2017-0199
CVE-2017-11882
2024-07-30
infrastructure
maritime
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 47

Keylogger Installed Using MS Office Equation Editor Vulnerability (Kimsuky)

This technical analysis examines a campaign by the Kimsuky threat group that exploited a vulnerability (CVE-2017-11882) in the Microsoft Office Equation Editor to distribute malware. The attackers used mshta.exe to run a malicious script that downloads additional components, including a keylogger. …
apt
CVE-2017-11882
2024-06-13
keylogger
Published: June 13, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 0

New Agent Tesla Campaign Targeting Spanish-Speaking People

This report analyzes a phishing campaign spreading a new Agent Tesla variant designed to infiltrate victims' computers and steal sensitive information like credentials, email contacts, and system details. It leverages techniques like exploiting Microsoft Office vulnerabilities, executing JavaScript…
malware
obfuscation
phishing
infostealer
2024-06-10
CVE-2017-0199
CVE-2017-11882
agent tesla
spain
Published: June 10, 2024
Linked vulnerabilities : CVE-2017-11882, CVE-2017-0199
Downloadable IOCs: 6
Click here to see more Attack Reports