The Windows MSHTML platform spoofing vulnerability, CVE-2024-43461, which affects all supported Windows versions, has been exploited in the wild.
CVE-2024-43461 was used in attacks by the Void Banshee APT hacking group. Research from Trend Micro claims that Void Banshee lures people by disseminating harmful files disguised as book PDFs through zip archives.
These files may be found on cloud-sharing websites, Discord servers, and online libraries, among other places. Southeast Asia, Europe, and North America are the main regions targeted by Void Banshee’s attacks.
Microsoft mentioned CVE-2024-43461 on Friday as part of the September 2024 Patch Tuesday, indicating that it had been used in attacks.
Decoding Compliance: What CISOs Need to Know – Join Free Webinar
The attack campaign of the Void Banshee group made use of both CVE-2024-43461 and the July-resolved vulnerability CVE-2024-38112.
Initially, Windows Internet Shortcut (.url) files were used in the attacks. Clicking on these files forced the device to launch a malicious website run by the attackers, using the now-deprecated Internet Explorer in place of Microsoft Edge.
An HTML Application (HTA) file was requested to be downloaded as soon as the malicious page was accessed.
The HTA file included a script to install the malware known as Atlantida info-stealer, which collects confidential data.
By spoofing the file extension and making it look like a PDF file rather than an .hta executable, the attackers were able to conceal the actual nature of the file.
The attackers spoof the HTA file extension by taking advantage of a vulnerability in Windows MSHTML.
The method uses braille whitespace characters (%E2%A0%80) to hide “.hta” extension from user view.
Hence, when the user accessed the spoofed file, the HTA file was executed, which initiated the script that deployed the Atlantida info-stealer.
We advise concerned Windows users to exercise extra caution when opening.url files from unknown sources because this kind of attack depends on user involvement to be successful.
Simulating Cyberattack Scenarios With All-in-One Cybersecurity Platform – Watch Free Webinar
A 13-year-old critical remote code execution (RCE) vulnerability in Redis, dubbed RediShell, allows attackers to…
Paris, France, October 6th, 2025, CyberNewsWire Reemo continues its mission to secure enterprise remote access…
A threat actor has claimed responsibility for a significant data breach at Huawei Technologies, a…
Doctors Imaging Group, a healthcare provider based in Florida, has reported a significant data breach…
Forensic-Timeliner, a Windows forensic tool for DFIR investigators, has released version 2.2, which offers enhanced…
NCSC has issued an urgent warning regarding a critical zero-day flaw in Oracle E-Business Suite…