Type: Unknown

Scarcruft APT Status: Active

Scarcruft APT Other Names: Operation Daybreak/ Operation Erebus

Scarcruft APT Active Since/Discovered: March 2016

Last Report: January 2017


  • Russia, Nepal, South Korea, China, India, Kuwait and Romania
  • US Mobile advertiser
  • Individuals related to the International Association of Athletics Federations
  • A restaurant located in one of the top malls in Dubai

Target Sectors: Asian Law Enforcement, Asian Trading companies, Telecommunications


  • Trojan.Win32.ScarCruft.gen. “yay_release.dll”
    • implements read/write operations at a particular address in memory that can allow for full remote code execution
    • loaded directly into the exploited application and has several methods of payload execution
    • One method bypasses modern anti-malware
      • Exploits bug in Windows DDE component
    • cfgifut.dll
    • cldbct.dll
    • cryptbase.dll
    • msfte.dll
    • Example watering-hole attack vulnerability (CVE-2016-4171)  located in the code which parses the ExecPolicy metadata information
  • Third-party spy tools

Preferred Attack Vector:  Spear-phishing, watering-hole attack


  • Flash Exploit CVE-2016-4171
  • CVE-2016-4117
  • CVE-2016-1010
  • CVE-2016-0147 – vulnerability in Microsoft XML Core Services – patched April 2016
  • modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificate
  • Exploit kit performs a couple of browser checks before redirecting the visitor to a server controlled by the attackers hosted in Poland
  • Main exploit page script contains a BASE64 decoder, as well as rc4 decryption implemented in JavaScript


  • Exploits a flaw in Windows DDE component to bypass modern anti-virus
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google