Cyber security news for all


    The Shadowed Gateway Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Incursion

    A campaign featuring the Shadowed Gateway malware was observed in the midst of January 2024, exploiting a recently rectified security vulnerability within Microsoft Windows as a zero-day exploit through fraudulent software installation modules.

    “In the course of this campaign, individuals were enticed through PDF documents housing Google DoubleClick Digital Marketing (DDM) open redirects, leading unwitting victims to compromised platforms hosting the Microsoft Windows SmartScreen circumvention CVE-2024-21412, guiding towards malevolent Microsoft (.MSI) installation files,” Trend Micro reported.

    CVE-2024-21412 (CVSS score: 8.1) pertains to a bypass vulnerability in internet shortcut files security feature that enables an unauthorized assailant to bypass SmartScreen safeguards by deceiving a target into interacting with a specially engineered file.

    Microsoft addressed this issue as part of its Patch Tuesday updates for February 2024, though not before it was utilized by a threat actor identified as Water Hydra (also known as DarkCasino) to disseminate the DarkMe malware in assaults directed at financial establishments.

    The latest insights from Trend Micro indicate that the vulnerability has been subjected to more extensive exploitation than previously believed, with the Shadowed Gateway campaign utilizing it alongside open redirects from Google Ads to propagate the malware.


    The intricate chain of attack commences with recipients clicking on a hyperlink embedded within a PDF attachment sent through a phishing electronic communication. The hyperlink initiates an open redirect from Google’s doubleclick[.]net domain to a compromised web server hosting a malevolent .URL internet shortcut file exploiting CVE-2024-21412.

    Precisely, the open redirects are structured to disseminate counterfeit Microsoft software installation files (.MSI) posing as legitimate software applications, such as Apple iTunes, Notion, NVIDIA, inclusive of a side-loaded DLL file that decrypts and contaminates users with Shadowed Gateway (version 6.1.7).

    It is noteworthy that another now-addressed bypass flaw in Windows SmartScreen (CVE-2023-36025, CVSS score: 8.8) has been utilized by threat actors to distribute Shadowed Gateway, Phemedrone Stealer, and Mispadu over the recent months.

    The exploitation of Google Ads technologies enables threat actors to expand the reach and magnitude of their assaults through diverse advertising campaigns tailored to specific demographics.

    “Employing counterfeit software installation modules, alongside open redirects, presents a formidable combination that can result in numerous infections,” affirmed security researchers Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun. “It is imperative to maintain vigilance and to advise users against placing trust in any software installation modules received from sources outside official channels.”

    Microsoft Flaw in Zero-Day Incursion

    This development surfaces as the AhnLab Security Intelligence Center (ASEC) and eSentire disclosed that counterfeit installation modules for Adobe Reader, Notion, and Synaptics are being disseminated via counterfeit PDF files and ostensibly legitimate websites to deploy data pilfering utilities like LummaC2 and the XRed backdoor.

    This development follows the unearthing of new data pilfering malware variants such as Planet Stealer, Rage Stealer (alias xStealer), and Tweaks (alias Tweaker), augmenting the array of cyber threats adept at harvesting sensitive data from compromised endpoints.

    “Adversaries are leveraging prominent platforms, such as YouTube and Discord, to distribute Tweaks to Roblox users, exploiting the capacity of legitimate platforms to elude detection by web filter block lists typically employed to impede known malicious servers,” remarked Zscaler ThreatLabz.

    “Adversaries disseminate malevolent files camouflaged as Frames Per Second (FPS) enhancement packages to users, subsequently prompting users to inadvertently infect their systems with Tweaks malware.”


    The PowerShell-based pilfering utility is furnished to exfiltrate sensitive data encompassing user credentials, geographical location, Wi-Fi profiles, passwords, Roblox IDs, and in-game currency details to a server under the control of the attacker via a Discord webhook.

    Malicious advertising and social engineering campaigns have also been observed serving as initial access vectors to propagate an assortment of pilfering utilities and remote access Trojans such as Agent Tesla, CyberGate RAT, Fenix botnet, Matanbuchus, NarniaRAT, Remcos RAT, Rhadamanthys, SapphireStealer, and zgRAT.

    Recent Articles

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here