Project Zero, Google’s zero-day bug-hunting team, has published a blog article detailing the exploit chains discovered last October and warned that the latest discovery is tied to a February 2020 campaign that included the use of multiple zero-days.

While the 2020 attacks only affected Android and Windows devices, the recent incidents also involved iOS exploitation. The threat actor was believed to be an expert in compromising Windows and Apple devices, like in the case of Google Chrome and Safari, which were exploited by a remote attacker.


The zero-day flaws exploited in the February 2020 campaign were as follows:

Below you can find a list of the seven zero-days exploited by the threat actor in October 2020:

According to researcher Maddie Stone, the actor from the February 2020 campaign disappeared for a few months only to return in October with dozens of websites redirecting to an exploit server. After running a few tests, the team discovered links to a second exploit server on the same website. It was later discovered that both exploit servers existed on all of the discovered domains.

Initially, the first exploit server only responded to iOS and Microsoft Windows users and remained active for another week after Project Zero started retrieving the hacking tools. The server included exploits for a remote code execution bug in the Google Chrome rendering engine and a v8 zero-day after the initial bug was patched.

The second exploit server responded to Android users and remained active for at least 36 hours. This server consisted of malware cocktails exploiting zero-days in the Chrome and Samsung browsers on Android devices.

Exploit server #1:

  • Initially responded to only iOS and Windows user-agents
  • Remained up and active for over a week from when we first started pulling exploits
  • Replaced the Chrome renderer RCE with a new v8 0-day (CVE-2020-16009) after the initial one (CVE-2020-15999) was patched
  • Briefly responded to Android user-agents after exploit server #2 went down (though we were only able to get the new Chrome renderer RCE)

Exploit server #2:

  • Responded to Android user-agents
  • Remained up and active for ~36 hours from when we first started pulling exploits
  • In our experience, responded to a much smaller block of IP addresses than exploit server #1


Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® Threat Prevention - Endpoint

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

Google Is Announcing Another Chrome Zero-Day Flaw

New Malvertising Campaign by the ScamClub Group Is Actively Exploiting Zero-Days

Leave a Reply

Your email address will not be published. Required fields are marked *