Tuesday, April 22, 2025
HomeCyber Security NewsBuhtrap Hackers Group Using Recently Patched Windows Zero-day Exploit to Attack Government...

Buhtrap Hackers Group Using Recently Patched Windows Zero-day Exploit to Attack Government Networks

Published on

SIEM as a Service

Follow Us on Google News

An Infamous Cyberespionage group known as “Buhtrap” uses a Windows Zero-day exploit for its new campaign to attack businesses and perform targeted attack governmental institutions.

Buhtrap hackers group actively targeting various financial institutions in 2015, since then the group improvising their toolset with new exploits and malware to attack Europe and Asia based countries.

Newly observed targetted attack campaign using an exploit for Windows local privilege escalation(CVE-2019-1132), a vulnerability resides in the win32k.sys component and the vulnerability has been fixed by Microsoft in a recent security update.

- Advertisement - Google News

An attacker who successfully exploits this vulnerability (CVE-2019-1132) could lead to executing the arbitrary code in kernel mode eventually take control of an affected system.

Buhtrap’s new arsenal contains various hacking tools with updated tactics, techniques and procedures (TTPs) which they are using frequently for various other campaigns.

Researchers pointed out that several of their tools are signed with valid code-signing certificates and abuse a known, legitimate application to side-load their malicious payloads.

Buhtrap Malware Campaign Infection Process

Buhtrap’s conducting its espionage campaign for Past five year and currently observed decoy document related to government operations which are very similar to the State Migration Service of Ukraine website, dmsu.gov.ua. 

Decoy document (Source: ESET)

The Malicious document text asks employees to provide their contact information, especially their email addresses also trick them to click the link on it.

Researchers from ESET quoted that the following document is the first decoy document that recently encountered which is used by the Buhtrap group to target government institutions.

Decoy documents used in campaigns against governmental organizations

According to ESET research, “This document contains a malicious macro that, when enabled, drops an NSIS installer whose task is to prepare the installation of the main backdoor. However, this NSIS installer is very different from the earlier versions used by this group. It is much simpler and is only used to set the persistence and launch two malicious modules embedded within it.”

First Module is a password stealer that harvest passwords from mail clients, browsers and other utilities eventually share it to the Command and control sever control by threat actors.

The second module is an NSIS installer that contains a legitimate application which is being abused and load the main backdoor that employed by Buhtrap.

Final backdoor with encrypted in its body with 2 backdoors, the first one is a type of small ShellCode downloader and the second one is Metasploit’s Meterpreter which is a reverse shell that helps to grant the complete control of the compromised system to the attacker.

“In this case, it is unclear if one or several members of this group decided to change focus and for what reasons, but it is definitely something that we are likely to see more of going forward,” ESET concluded.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

TA505 Hackers Group Modifies Remote Admin Tool as a Weaponized Hacking Tool To Attack Victims in the U.S, APAC, Europe

APT 34 Hackers Group Owned Hacking Tools, Webshell, Malware Code, C2 Servers IP Leaked in Telegram

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

TP-Link Router Vulnerabilities Allow Attackers to Execute Malicious SQL Commands

Cybersecurity researchers have uncovered critical SQL injection vulnerabilities in four TP-Link router models, enabling...

Faster Vulnerability Patching Reduces Risk and Lowers Cyber Risk Index

Trend Micro's Cyber Risk Exposure Management (CREM) solution has highlighted the critical role that...

Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks

In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious...

Samsung One UI Vulnerability Leaks Sensitive Data in Plain Text With No Expiration!

A glaring vulnerability has come to light within Samsung's One UI interface: the clipboard...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

TP-Link Router Vulnerabilities Allow Attackers to Execute Malicious SQL Commands

Cybersecurity researchers have uncovered critical SQL injection vulnerabilities in four TP-Link router models, enabling...

Faster Vulnerability Patching Reduces Risk and Lowers Cyber Risk Index

Trend Micro's Cyber Risk Exposure Management (CREM) solution has highlighted the critical role that...

Malicious npm Packages Target Linux Developers with SSH Backdoor Attacks

In a sophisticated onslaught targeting the open-source ecosystem, reports have emerged detailing several malicious...