Connect with us

Hi, what are you looking for?



Google: Sophisticated APT Group Burned 11 Zero-Days in Mass Spying Operation

Google has added new details on a pair of exploit servers used by a sophisticated threat actor to hit users of Windows, iOS and Android devices.

Google has added new details on a pair of exploit servers used by a sophisticated threat actor to hit users of Windows, iOS and Android devices.

Malware hunters at Google continue to call attention to a sophisticated APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and devices.

The group has actively used “watering hole” attacks to redirect specific targets to a pair of exploit servers delivering malware on Windows, iOS and Android devices.

The cross-platform capabilities and the willingness to use almost a dozen zero-days in less than a year signals a well-resourced actor with the ability to access hacking tools and exploits from related teams.

In a new blog post, Google Project Zero researcher Maddie Stone released additional details on the exploit chains discovered in the wild last October and warned that the latest discovery is tied to a February 2020 campaign that included the use of multiple zero-days.

According to Stone, the actor from the February 2020 campaign went dark for a few months but returned in October with dozens of websites redirecting to an exploit server. 

“Once our analysis began, we discovered links to a second exploit server on the same website. After initial fingerprinting (appearing to be based on the origin of the IP address and the user-agent), an iframe was injected into the website pointing to one of the two exploit servers. 

Advertisement. Scroll to continue reading.

In our testing, both of the exploit servers existed on all of the discovered domains,” Stone explained.

The first exploit server initially responded only to Apple iOS and Microsoft Windows user-agents and was active for at least a week after Google’s researchers started retrieving the hacking tools.  This server included exploits for a remote code execution bug in the Google Chrome rendering engine and a v8 zero-day after the initial bug was patched.  

Stone said the first server briefly responded to Android user-agents, suggesting exploits existed for all the major platforms.

Google also flagged a second exploit server that responded to Android user-agents and remained alive for at least 36 hours. This server contained malware cocktails exploiting zero-days in the Chrome and Samsung browsers on Android devices. 

Interestingly, Stone noted that the attackers used a unique obfuscation and anti-analysis check on iOS devices where those exploits were encrypted with ephemeral keys, “meaning that the exploits couldn’t be recovered from the packet dump alone, instead requiring an active MITM on our side to rewrite the exploit on-the-fly.”

Stone also noted signs that multiple entities may be sharing tools and exploits in these campaigns.  

“Both exploit servers used the Chrome Freetype RCE (CVE-2020-15999) as the renderer exploit for Windows (exploit server #1) and Android (exploit server #2), but the code that surrounded these exploits was quite different. The fact that the two servers went down at different times also lends us to believe that there were two distinct operators,” Stone added.

In all, Stone and the Google Project Zero team snagged one full exploit chain hitting Chrome on Windows, two partial exploit chains targeting fully patched Android devices running Chrome and the Samsung Browser; and remote code-execution exploits for iOS 11 and iOS 13.

Stone’s analysis also show the APT group is prolific with the types of vulnerabilities used in exploit chains. “The vulnerabilities cover a fairly broad spectrum of issues – from a modern JIT vulnerability to a large cache of font bugs. Overall each of the exploits themselves showed an expert understanding of exploit development and the vulnerability being exploited,” she explained.

“In the case of the Chrome Freetype 0-day, the exploitation method was novel to Project Zero. The process to figure out how to trigger the iOS kernel privilege vulnerability would have been non-trivial. The obfuscation methods were varied and time-consuming to figure out,” she added. 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...