Knotweed threat actors exploit Microsoft and Adobe 0-days and deliver Subzero malware

Knotweed threat actors have exploited Microsoft and Adobe 0-day vulnerabilities in targeted attacks against European and Central American customers. The actors also developed Subzero malware used in these attacks.

According to Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) teams, the actors have exploited a recently patched Windows CSRSS Elevation of Privilege Vulnerability CVE-2022-22047.

The issue was patched as part of Microsoft’s July 2022 security updates, that fixed 84 vulnerabilities, to include CVE-2022-22047 (CVSS 7.8) that affects multiple Windows server and desktop OS versions.

Microsoft confirmed “an attacker who successfully exploited this vulnerability could gain SYSTEM privileges” and “exploitation was detected.”


According to Microsoft, Knotweed is an Austria-based private-sector offensive actor (PSOA) also known as DSIRF.

Several news reports previously revealed the group developed and attempted to sell a malware toolset called Subzero. In the latest attacks, Microsoft discovered the same malware was used in the 0-day exploits.

“MSTIC found the Subzero malware being deployed through a variety of methods, including 0-day exploits in Windows and Adobe Reader, in 2021 and 2022,” Microsoft explained in a blog post.

Moreover, the Microsoft security team found links between DSIRF and exploits/malware used in the recent attacks. Those links include common command-and-control (C2) infrastructure, GitHub account, and code signing certificate used to sign an exploit.

Knotweed actors were also observed in 2021 exploiting Windows privilege escalation vulnerabilities (CVE-2021-31199 and CVE-2021-31201), as well as an Adobe Reader exploit (CVE-2021-28550). These issues were all patched in June 2021. MSTIC confirmed the attackers used these as part of an exploit chain to deploy Subzero.

MSTIC also linked Subzero infections to a fourth exploit of a Windows privilege escalation vulnerability in the Windows Update Medic Service (CVE-2021-36948), which was patched in August, 2021.

This issue could allow an attacker to force the service to load an arbitrary signed malicious DLL (in latest attacks signed by ‘DSIRF GmbH’).

Readers can check out the full report for more details on Knotweed’s malware and tactics, techniques, and procedures (TTPs), DSIRF-connected infrastructure used in the recent attacks, and recommended mitigations.

Related Articles