- Trend Micro detects malware presented as a PoC fork for a major Windows vulnerability
- The malware acts as an information thief, stealing vital information from the system.
- These types of attacks are often carried out by nation states
Cybercriminals are targeting security researchers with fake proof-of-concept (PoC) solutions, trying to infect their computers with information-stealing malware, experts have warned.
Cybersecurity researchers Trend Micro, who spotted the new campaign in January 2025, noted how scammers would post a PoC for a popular critical severity vulnerability, in order to attract the attention of cybersecurity specialists.
Researchers would then retrieve the PoC for analysis and end up installing malware instead.
Steal vital information from your PC
In this particular case, the attackers were announcing a fork of an existing, legitimate PoC for LDAPNightmare, a vulnerability discovered earlier in January and consisting of two flaws, CVE-2024-49112 and CVE-2024-49113.
The first serves as bait here, since it is a flaw of severity 9.8/10, affecting the LDAP protocol (Windows Lightweight Directory Access Protocol) and allowing remote code execution (RCE).
In her article, Sarah Pearl Camiling, a researcher at Trend Micro, said that “both vulnerabilities were considered very significant due to the widespread use of LDAP in Windows environments.” Both flaws were fixed in December 2024, via the Patch Tuesday cumulative update.
In the fake PoC, the crooks replaced some legitimate files with an executable named “poc.exe”. This would deploy a PowerShell script which, in turn, would deploy another script that steals data from the computer.
Here’s what the information thief does:
– PC information
– List of processes
– Directory listings (downloads, recent, documents and desktop)
– Network IP
– Network adapters
– Updates installed
This type of attack is not new: criminals have regularly been observed applying the same tactics in the past.
Although not discussed in the report, these types of attacks are often carried out by state actors, with the aim of gathering vital intelligence on the cybersecurity practices of large technology organizations, government companies, critical infrastructure, etc.
Via The register
