Skip to content

Microsoft’s threat intelligence (MSTIC) and security response (MRSC) centres have published a report detailing how a threat actor, known as KNOTWEED, has been developing and selling malware that, among other methods, is deployed through the exploitation of zero-day vulnerabilities.

Some of the victims of this attack include banks and law firms in countries such as Austria, Panama, and the United Kingdom.

Some of the most recent observed attacks from this threat actor, which took place as recently as May 2022, involve exploiting vulnerabilities that allow for remote code execution on Adobe Reader, and a 0-day vulnerability on Windows that was used for privilege escalation. This vulnerability, known as CVE-2022-22047, has only recently been patched in Microsoft’s July 2022 security update and allowed the threat actors to achieve system-level code execution and deploy their malware, named Subzero. In this instance, KNOTWEED was able to access the victim’s system by packaging their malware into a PDF and sending it out via email.

In addition to PDFs, the group has also been seen spreading malware using malicious Excel documents. These documents were often disguised as being from real estate agents and relied on macros to execute code that would fetch malware from KNOTWEED’s command-and-control (C2) server.

The threat actor also makes use of JPEG images in the deployment of their malware. Images such as the one below have extra data added onto the end of the image file and are used to download the last part of the Subzero malware. These jpegs are written to the user’s %TEMP% directory:

Subzero, the malware developed and sold by KNOTWEED, has several capabilities, including keylogging, taking screenshots, exfiltrating files, executing code remotely via a remote shell, and running plugins downloaded from the threat actor’s C2 server. Microsoft also listed a number of other programs that KNOTWEED has been seen using, such as tools designed for evading firewalls,  extracting passwords, pin codes, and hashes, and assessing the security level of a target’s Active Directory.

Some of the actions undertaken once a target had been compromised included enabling plaintext credentials, dumping credentials, attempting to access email accounts using dumped credentials, and running PowerShell scripts.

The full report from Microsoft, including indicators of compromise, can be read here.


Microsoft recommends prioritising patching CVE-2022-22047, which can be done by updating your system with the July 2022 security update. Additionally, checking that your antivirus and firewall are on the latest updates is highly important, as this threat actor is making use of recently found zero-day vulnerabilities.

As this group spreads its malware using macros in PDFs and Excel documents, ensuring that macros are disabled is a key step in protecting your system from this type of attack. Microsoft has a guide on disabling macros on Office documents here.

As always, educating colleagues in your workplace to spot the signs of a phishing attack can help prevent this malware from getting onto your system.

Related Links: