Posted: 3 Min ReadThreat Intelligence
Translation: 日本語

Attackers Exploit Unpatched Windows Zero-Day Vulnerability

Exploit of CVE-2023-36884 was used in targeted attacks against organizations in Europe and North America.

A zero-day vulnerability (CVE-2023-36884) affecting Microsoft Windows and Office products is being exploited by attackers in the wild. To date, the exploit has been used in highly targeted attacks against organizations in the government and defense sectors in Europe and North America.

The vulnerability was disclosed yesterday (July 11) by Microsoft, which said that an attacker could create a specially crafted Microsoft Office document that enables remote code execution on the target’s computer. In order for the exploit to succeed, the victim needs to open the malicious file. No patch has been released yet for the vulnerability. However, Microsoft is still investigating the issue and said a patch may be rolled out in its monthly release process or in an out-of-cycle security update. The company provided some mitigation guidance in its advisory.

How is the vulnerability being exploited?

According to a separate blog published by Microsoft, the vulnerability was being exploited by an actor it calls Storm-0978 (aka RomCom) in targeted attacks against defense and government organizations in Europe and North America. The exploit was contained in Microsoft Word documents that masqueraded as information about the Ukrainian World Congress.

The attacks were earlier documented by BlackBerry on July 8, which noted that the targets were guests for the upcoming NATO Summit. At the time, the use of the zero-day in the attacks was unknown.

Who is Storm-0978/RomCom?

Storm-0978/RomCom is a Russia-linked threat actor that has been involved in both espionage and cyber-crime activity. The group acquired its name through its use of the RomCom remote access Trojan (RAT). 

There are strong ties between it and a group Symantec calls Hawker, which is the developer of the Cuba ransomware family. The U.S Cybersecurity and Infrastructure Security Agency (CISA) has said that there are possibly links between Hawker, RomCom, and the Industrial Spy ransomware actors. A report published last year by Palo Alto also detailed how RomCom (whom it calls Tropical Scorpius) used the RomCom RAT to deliver the Cuba ransomware payload to victims.

While it is clear that there are strong ties between Storm-0978/RomCom and Hawker, it is unclear yet whether the two actors are one and the same. 

How severe is this vulnerability?

Until a patch is released, organizations should adopt all possible mitigation strategies. Although the vulnerability has, to date, been exploited in targeted attacks, news of its existence will doubtlessly lead other attackers to attempt to replicate the exploit.



  • Coverage is in place for Symantec’s email security products


  • Trojan.Mdropper
  • WS.Malware.1


  • Web Attack: Webpulse Bad Reputation Domain Request


  • Observed domains/IPs are covered under security categories in all WebPulse enabled products

Symantec is continuing to investigate further possible protection based on available information, and additional signatures may be introduced as analysis progresses. 

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.





About the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.