Attackers Have Been Leveraging Microsoft Zero-Day for 18 Months

Likely two separate threat actors are using the just-patched CVE-2024-38112 in targeted, concurrent infostealer campaigns.

Threat actors may have been exploiting one of the zero-day bugs that Microsoft patched in its
July security update
for at least 18 months prior to patch release.
Though the vulnerability (
CVE-2024-38112
) affects the MSHTML (Trident) engine for the now retired Internet Explorer (IE) browser, newer Windows 10 and Windows 11 systems — where Edge is the default browser — are also susceptible to attacks targeting the flaw.
Haifei Li, a security researcher at Check Point, discovered and reported the flaw to Microsoft in May. In a recent blog post, Li
described CVE-2024-38112
as allowing an attacker to send victims specially crafted Internet Shortcut files (aka URL files) which, when clicked, would use IE — even if not the default browser — to open an attacker-controlled URL. In attacks that Check Point has observed, the threat actor combined the flaw exploit with another novel IE trick for hiding dangerous HTML application files (or .hta files) in the guise of a benign looking PDF document.
To summarize the attacks from the exploitation perspective: The first technique used in these campaigns is [a] trick, which allows the attacker to call IE instead of the more secure Chrome/Edge, Li wrote. The second technique is an IE trick to make the victim believe they are opening a PDF file, while in fact, they are downloading and executing a dangerous
.
hta application.
In a worst case scenario, the vulnerability could allow an attacker to run ransomware, spyware, and other arbitrary code on the victims machine, says Eli Smadja, research group manager at Check Point.
Smadja says Check Points analysis of attacks targeting the flaw are still ongoing. However, an initial analysis has shown at least two likely different threat actors are exploiting CVE-2024-38112 in concurrent campaigns, targeting individuals in Vietnam and Turkey. One of the campaigns involves attempts by the attacker to drop the Atlantida information stealer on targeted victims in the two countries.
This actor exploits compromised WordPress platforms to execute attacks using HTA and PowerShell files, which eventually deploy the Atlantida stealer on target machines, Smajda says. We believe there may be additional, undiscovered incidents driven by cybercriminal motives, he says.
Rapid7 earlier this year
identified Atlantida
as malware that enables theft of credential information, cryptocurrency wallet data, browser data, screen information, hardware data, and other information from compromised systems.
Microsoft described CVE-2024-38112 as a spoofing vulnerability that could have a high impact on system confidentiality, integrity, and availability if successfully exploited. The company however has assigned it only a moderately high severity rating of 7.5 out of 10, based on, among other things, the fact that an attacker would need to convince a victim to interact with the weaponized URL file for any attack to work.
The US Cybersecurity and Infrastructure Security Agency (CISA) has already added CVE-2024-38112 to its catalog of
known exploited vulnerabilities
(KEV) and has urged organizations to apply Microsofts mitigations for the vulnerability. Federal civilian executive branch agencies have until July 30 to remediate the issue or discontinue use of affected products until they have fixed the issue.
The Trident bug is one of two zero-days from Microsofts July update that CISA has added to its KEV catalog. The other is
CVE-2024-38080
, a privilege escalation flaw in Microsoft Windows Hyper-V virtualization technology. Microsoft has said the vulnerability allows an attacker with local access to acquire system-level privileges.
In all, Microsoft released fixes for a total of 139 vulnerabilities in its products, making the July update larger in CVE volume than the companys updates for
May
and
June
combined.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Attackers Have Been Leveraging Microsoft Zero-Day for 18 Months