{"id":5097,"date":"2018-07-02T15:00:00","date_gmt":"2018-07-02T15:00:00","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=83911"},"modified":"2018-07-02T15:00:00","modified_gmt":"2018-07-02T15:00:00","slug":"taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/","title":{"rendered":"Taking apart a double zero-day sample discovered in joint hunt with ESET"},"content":{"rendered":"

In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcher\u00a0Anton Cherepanov<\/a>. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same PDF. One exploit affected Adobe Acrobat and Reader, while the other exploit affected older platforms, Windows 7 and Windows Server 2008. Microsoft and Adobe have since released corresponding security updates:<\/p>\n

The first exploit attacks the Adobe JavaScript engine to run shellcode in the context of that module. The second exploit, which does not affect modern platforms like Windows 10, allows the shellcode to escape Adobe Reader sandbox and run with elevated privileges from Windows kernel memory. ESET provided an analysis of the exploitation routines in the sample PDF<\/a>.<\/p>\n

Although the PDF sample was found in VirusTotal, we have not observed actual attacks perpetrated using these exploits. The exploit was in early development stage, given the fact that the PDF itself did not deliver a malicious payload and appeared to be proof-of-concept (PoC) code.<\/p>\n

Finding and neutralizing a double zero-day exploit before an attacker had a chance to use it was an amazing result of the great collaboration between ESET, Microsoft, and Adobe security researchers.<\/p>\n

Here\u2019s some more information about the exploit process. This analysis is based on a sample we found after additional hunting (SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01<\/em>).<\/p>\n

Exploit overview<\/h2>\n

The Adobe Acrobat and Reader exploit is incorporated in a PDF document as a malicious JPEG 2000 stream containing the JavaScript exploit code. The following diagram provides an overview of the exploit process.<\/p>\n

\"\"<\/p>\n

Figure 1. Overview of the exploit process<\/em><\/p>\n

As shown in the diagram, the exploit process takes place in several stages:<\/p>\n

    \n
  1. JavaScript lays out heap spray memory.<\/li>\n
  2. Malicious JPEG 2000 stream triggers an out-of-bounds<\/em> access operation.<\/li>\n
  3. The access operation is called upon out-of-bounds memory laid out by the heap spray.<\/li>\n
  4. The access operation corrupts the virtual function table (vftable)<\/em>.<\/li>\n
  5. The corrupted vftable<\/em> transfers execution to a return-oriented programming (ROP)<\/em> chain.<\/li>\n
  6. The ROP chain transfers execution to the main shellcode.<\/li>\n
  7. The main elevation-of-privilege (EoP) module loads through reflective DLL loading.<\/li>\n
  8. The main PE module launches the loaded Win32k EoP exploit.<\/li>\n
  9. When the EoP exploit succeeds, it drops a .vbs file in the Startup<\/em> folder. The .vbs file appears to be proof-of-concept malware designed to download additional payloads.<\/li>\n<\/ol>\n

    Malicious JPEG 2000 stream<\/h2>\n

    The malicious JPEG 2000 stream is embedded with the following malicious tags.<\/p>\n

    \"\"<\/p>\n

    Figure 2. Malicious JPEG 2000 stream<\/em><\/p>\n

    The following image shows the CMAP<\/em> and PCLR<\/em> tags with malicious values. The length of CMAP array (0xfd<\/em>) is smaller than the index value (0xff) referenced in PCLR tags\u2014this results in the exploitation of the out-of-bounds memory free vulnerability.<\/p>\n

    \"\"<\/p>\n

    Figure 3. Out-of-bounds index of CMAP array<\/em><\/p>\n

    Combined with heap-spray technique used in the JavaScript, the out-of-bounds exploit leads to corruption of the vftable<\/em>.<\/p>\n

    \"\"<\/p>\n

    Figure 4. vftable corruption with ROP chain to code execution<\/em><\/p>\n

    The shellcode and portable executable (PE) module is encoded in JavaScript.<\/p>\n

    \"\"<\/p>\n

    Figure 5 Shellcode in JavaScript<\/em><\/p>\n

    Reflective DLL loading<\/h2>\n

    The shellcode (pseudocode shown below) loads the main PE module through reflective DLL loading, a common technique seen in advanced attacks to attempt staying undetected in memory. On Windows 10, the reflective DLL loading technique is exposed<\/a> by Windows Defender Advanced Threat Protection (Windows Defender ATP).<\/p>\n

    The shellcode searches for the start of the PE record and parses PE sections, copying them to the newly allocated memory area. It then passes control to an entry point in the PE module.<\/p>\n

    \"\"<\/p>\n

    Figure 6. Copying PE sections to allocated memory<\/em><\/p>\n

    \"\"<\/p>\n

    Figure 7. Passing control to an entry point in the loaded DLL<\/em><\/p>\n

    Main Win32k EoP exploit<\/h2>\n

    The main Win32k elevation-of-privilege (EoP) exploit runs from the loaded PE module. It appears to target machines running Windows 7 SP1 and takes advantage of the previously unreported CVE-2018-8120<\/a> vulnerability, which is not present on Windows 10 and newer products. The exploit uses a NULL page to pass malicious records and copy arbitrary data to an arbitrary kernel location. The NULL page dereference exploitation technique is also mitigated by default for x64 platforms running Windows 8 or later.<\/p>\n

    \"\"<\/p>\n

    Figure 8. EoP exploit flow<\/em><\/p>\n

    Here\u2019s how the main exploit proceeds:<\/p>\n

      \n
    1. The exploit calls NtAllocateVirtualMemory<\/em> following sgdt<\/em> instructions to allocate a fake data structure at the NULL page.<\/li>\n
    2. It passes a malformed MEINFOEX structure to the SetImeInfoEx<\/em> Win32k kernel function.<\/li>\n
    3. SetImeInfoEx<\/em> picks up the fake data structure allocated at the NULL page.<\/li>\n
    4. The exploit uses the fake data structure to copy malicious instructions to +0x1a0<\/em> on the Global Descriptor Table (GDT).<\/li>\n
    5. It calls an FWORD instruction to call into the fake GDT entry instructions.<\/li>\n
    6. The exploit successfully calls instructions in the fake GDT entry.<\/li>\n
    7. The instructions run shellcode allocated in user mode from kernel mode memory space.<\/li>\n
    8. The exploit modifies the EPROCESS.Token<\/em> of the shellcode process to grant SYSTEM privileges.<\/li>\n<\/ol>\n

      On Windows 10, the EPROCESS.Token<\/em> modification behavior would be surfaced by Windows Defender ATP.<\/p>\n

      The malformed IMEINFOEX<\/em> structure in combination with fake data at the NULL page triggers corruption of the GDT entry as shown below.<\/p>\n

      \"\"<\/p>\n

      Figure 9. Corrupted GDT entry<\/em><\/p>\n

      The corrupted GDT has actual instructions that run through call gate through a call FWORD<\/em> instruction.<\/p>\n

      \"\"<\/p>\n

      Figure 10. Patched GDT entry instructions<\/em><\/p>\n

      After returning from these instructions, the extended instruction pointer (EIP) returns to the caller code in user space with kernel privileges. The succeeding code elevates privileges of the current process by modifying the process token to SYSTEM<\/em>.<\/p>\n

      \"\"<\/p>\n

      Figure 11. Replacing process token pointer<\/em><\/p>\n

      Persistence<\/h2>\n

      After privilege escalation, the exploit code drops the .vbs, a proof-of-concept malware, into the local Startup<\/em> folder.<\/p>\n

      \"\"<\/p>\n

      Figure 12. Code that drops the .vbs file to the Startup folder<\/em><\/p>\n

      Recommended defenses<\/h2>\n

      To protect against attacks leveraging the exploits found in the PDF:<\/p>\n

      While we have not seen attacks distributing the PDF, Office 365 Advanced Threat Protection (Office 365 ATP<\/a>) would block emails that carry malformed PDF and other malicious attachments. Office 365 ATP uses a robust detonation platform, heuristics, and machine learning<\/a> to inspect attachments and links for malicious content in real-time.<\/p>\n

      Windows 10 users are not impacted by the dual exploits, thanks to platform hardening and exploit mitigations. For attacks against Windows 10, Windows Defender Advanced Threat Protection (Windows Defender ATP<\/a>) would surface kernel attacks with similar exploitation techniques that use process token modification to elevate privileges<\/a>, as shown below (sample process privilege escalation alert).<\/p>\n

      \"\"<\/p>\n

      Figure 13. Sample Windows Defender ATP alert for process token modification<\/em><\/p>\n

      With Advanced hunting in Windows Defender ATP<\/a>, customers can hunt for related exploit activity using the following query<\/a> we added to the Github repository<\/a>:<\/p>\n

      \"\"<\/p>\n

      Figure 14. Advanced hunting query<\/em><\/p>\n

      Windows Defender ATP provides complete endpoint protection platform (EPP) and endpoint detection response (EDR) solutions for Windows 10, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. Additional support for devices running Windows 7 and Windows 8.1 is currently in preview<\/a>. Additionally, Windows Defender ATP can surface threats on macOS, Linux, and Android devices<\/a> via security partners.<\/p>\n

      Windows Defender ATP integrates with other technologies in Windows, Office 365, and Enterprise Mobility + Security platforms to automatically update protection and detection and orchestrate remediation across Microsoft 365.<\/p>\n

      To experience the power of Windows Defender ATP for yourself, sign up for a free trial now<\/a>.<\/strong><\/p>\n

      Indicators of compromise<\/h2>\n

      SHA-256: dd4e4492fecb2f3fe2553e2bcedd44d17ba9bfbd6b8182369f615ae0bd520933
      SHA-1: 297aef049b8c6255f4461affdcfc70e2177a71a9
      File type: PE
      Description: Win32k exploit<\/p>\n

      SHA-256: 4b672deae5c1231ea20ea70b0bf091164ef0b939e2cf4d142d31916a169e8e01
      SHA-1: 0d3f335ccca4575593054446f5f219eba6cd93fe
      File type: PDF
      Description: Test exploit<\/p>\n

      SHA-256: 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8
      SHA-1: c82cfead292eeca601d3cf82c8c5340cb579d1c6
      File type: PDF
      Description: PDF exploit testing sample (Win32k part missing)<\/p>\n

      SHA-256: d2b7065f7604039d70ec393b4c84751b48902fe33d021886a3a96805cede6475
      SHA-1: edeb1de93dce5bb84752276074a57937d86f2cf7
      File type: JavaScript
      Description: JavaScript embedded in 0608c0d26bdf38e064ab3a4c5c66ff94e4907ccaf98281a104fd99175cdf54a8<\/p>\n

      Matt Oh<\/strong><\/em>
      Windows Defender ATP Research<\/em><\/p>\n

      \"\"<\/a><\/p>\n\n

      Talk to us<\/strong><\/h4>\n

      Questions, concerns, or insights on this story? Join discussions at the Microsoft community<\/a> and Windows Defender Security Intelligence<\/a>.<\/p>\n

      Follow us on Twitter @WDSecurity<\/a> and Facebook Windows Defender Security Intelligence<\/a>.<\/p>\n

      READ MORE HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

      In late March 2018, I analyzed an interesting PDF sample found by ESET senior malware researcherAnton Cherepanov. The sample was initially reported to Microsoft as a potential exploit for an unknown Windows kernel vulnerability. During my investigation in parallel with ESET researchers, I was surprised to discover two new zero-day exploits in the same PDF. Read more READ MORE HERE…<\/p>\n","protected":false},"author":2,"featured_media":5098,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[1705,1706,1707,347,1708,234,1709,1064,1065,357,232,718,1710],"class_list":["post-5097","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-advanced-hunting","tag-cve-2018-4990","tag-cve-2018-8120","tag-cybersecurity","tag-elevation-of-privilege-eop","tag-exploit","tag-reflective-dll-loading","tag-security-intelligence","tag-security-response","tag-windows","tag-windows-10","tag-windows-defender-atp","tag-zero-day-exploit"],"yoast_head":"\nTaking apart a double zero-day sample discovered in joint hunt with ESET 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Taking apart a double zero-day sample discovered in joint hunt with ESET 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2018-07-02T15:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/07\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"532\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Taking apart a double zero-day sample discovered in joint hunt with ESET\",\"datePublished\":\"2018-07-02T15:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/\"},\"wordCount\":1397,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png\",\"keywords\":[\"Advanced hunting\",\"CVE-2018-4990\",\"CVE-2018-8120\",\"Cybersecurity\",\"elevation of privilege (EoP)\",\"Exploit\",\"Reflective DLL loading\",\"Security Intelligence\",\"Security Response\",\"Windows\",\"Windows 10\",\"Windows Defender ATP\",\"zero-day exploit\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/\",\"name\":\"Taking apart a double zero-day sample discovered in joint hunt with ESET 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png\",\"datePublished\":\"2018-07-02T15:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2018\\\/07\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png\",\"width\":1000,\"height\":532},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Advanced hunting\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/advanced-hunting\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Taking apart a double zero-day sample discovered in joint hunt with ESET\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Taking apart a double zero-day sample discovered in joint hunt with ESET 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/","og_locale":"en_US","og_type":"article","og_title":"Taking apart a double zero-day sample discovered in joint hunt with ESET 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2018-07-02T15:00:00+00:00","og_image":[{"width":1000,"height":532,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/07\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Taking apart a double zero-day sample discovered in joint hunt with ESET","datePublished":"2018-07-02T15:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/"},"wordCount":1397,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/07\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png","keywords":["Advanced hunting","CVE-2018-4990","CVE-2018-8120","Cybersecurity","elevation of privilege (EoP)","Exploit","Reflective DLL loading","Security Intelligence","Security Response","Windows","Windows 10","Windows Defender ATP","zero-day exploit"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/","url":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/","name":"Taking apart a double zero-day sample discovered in joint hunt with ESET 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/07\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png","datePublished":"2018-07-02T15:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/07\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2018\/07\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset.png","width":1000,"height":532},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Advanced hunting","item":"https:\/\/www.threatshub.org\/blog\/tag\/advanced-hunting\/"},{"@type":"ListItem","position":3,"name":"Taking apart a double zero-day sample discovered in joint hunt with ESET"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/5097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=5097"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/5097\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/5098"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=5097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=5097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=5097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}