Danny Odler

We’re releasing our analysis of https://t.co/cAmTrO7mvx, a major game cheat targeted by multiple studios in recent legal actions. We partially deobfuscated several Themida-protected components and document how it hijacks Hyper-V to inject and manipulate game code. https://t.co/ykGrHdl6ty https://t.co/LhEXxeIcnF

Someone submitted the real CVE-2026-21509 sample to EXPMON last night! Check out this submission: https://t.co/5Cf6TDBQxz The SHA256 of the sample, it's a RTF file: c91183175ce77360006f964841eb4048cf37cb82103f2573e262927be4c7607f While EXPMON didn't report the 0day immediately - this is well expected, it reported various highly suspicious Indicators, including the key Indicator named "activex compatibility shellexplorer registry key accessed". I shared how to use this key Indicator on EXPMON to hunt the 0day just days ago: https://t.co/Qwcvhb6VKa. That's enough to investigate it manually in your local env, and I have just confirmed this is indeed the CVE-2026-21509 zero-day exploit! My quick analysis showed that this is the initial attack vector sample in a full attacking chain. Thanks to EXPMON logs, I quickly found that the RTF file was trying to load the IE engine (the "ieframe.dll") while also trying to connect to the threat actor controlled server, one of the url is "\\wellnesscaremed[.]com\davwwwroot\venezia\Favorites\blank.doc" (see the pic attached) - all activities are automatic, meaning as soon as the victim open the Word document, the victim could be pwned. There're not just one but quite serveral OLE objects in the RTF which are, to be honest, quite sophisticated, showing the sophistication of the zero-day attack. Full details haven't been fully understood in such a short time. The same sample was also listed/confirmed by the Ukrainian CERT https://t.co/PMi6u3r5Wr independently, there're more details in that article please go check out. What a wild story! Thank you very much to the person who submitted the sample (and I received your message about adding the "unzip" feature:))! Once again it confirmed the effectiveness of the EXPMON system when it comes to detecting unknown 0day exploits. Quickly, for defenders: 1. Please research all the things starting from the sample, this is the confirmed CVE-2026-21509 0day intinal attack vector sample, and add detections (currently the detection ratio on VT is pretty low) in the full chain. 2. If you're an Microsoft Office user, please apply Microsoft's official patch or workarounds ASAP https://t.co/E6q8y0aZa0, as now the attacking exploit is well known so attacks are expected to increase rapidly. For me, there's more work to do, including an EXPMON update for determinate detection against this 0day exploits. In the meantime, if you see the "activex compatibility shellexplorer registry key accessed" Indicator on EXPMON, please be cautions because that's likely the 0day sample/variants. #CVE-2026-21509 #expmon #0day #zeroday #exploit #threatintel