Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • TA505 spreads FlawedAmmyy RAT by editing SettingContent-ms on PDF files
  • Malware

TA505 spreads FlawedAmmyy RAT by editing SettingContent-ms on PDF files

Do Son July 25, 2018 3 minutes read
FlawedAmmyy RAT
Add Daily CyberSecurity as a preferred source on Google

The well-known financial criminal group TA505 has manipulated a large-scale spam campaign that uses a brand new carrier to spread the FlawedAmmyy RAT, which contains a weaponised PDF of malicious SettingContent-ms files.

The SettingContent-ms file format introduced in Windows 10; it allows users to create “shortcuts” for various Windows 10 settings pages.

The code for this method also runs under the radar, and maliciously crafted files bypass only specific Windows 10 defences, such as attack surface reduction (ASR) and detecting dangerous file formats embedded in OLE. Of course, having a victim open a funky file format attached to an email can be a challenge, so attackers have begun inserting these formats into attachments that look even more harmless.

Therefore, SpecterOps researchers in June found that someone abused the SettingContent-ms file format in Microsoft Word documents. Subsequently, last week, Proofpoint researchers observed that this method has evolved and is being extended to PDF documents—a new technology that was previously unknown.


“On July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file. The messages in the campaign used a simple lure asking the user to open the attached PDF,” Proofpoint researchers report.

When you open the file, Adobe Reader displays a warning asking the user if they want to open the file because it tries to run the embedded “downl.SettingContent-ms” via JavaScript, just like any file format embedded in the PDF. If the target victim clicks OK, the PowerShell command included in the <DeepLink> element will deploy the FlawedAmmyy RAT.


The RAT has been active since 2016 and was only included in the scope of research by researchers earlier this year. The RAT is based on the leaked source code of Ammyy Admin Remote Desktop Software version 3, which includes remote desktop control, file system manager, proxy support and audio chat.

“For infected individuals, the attacker has full access to their computer, enabling threat actors to access various services, stealing files and credentials, etc. We saw FlawedAmmyy in two large-scale events. It may create large-scale attacks and targeted activities that provide opportunities for actors to steal customer data, proprietary information, etc.”

The basis for judging these activities to the financial criminal group TA505 is email messages, payloads, and other identifying features. The TA505 launched a large-scale malspam campaign to distribute a range of payloads using the Necurs botnet, including Dridex Bank Trojans, Locky ransomware, Jaff ransomware, Trick Bank Trojans, and several other payloads. It runs a variety of C&C servers, giving it the flexibility to remove, sinkholes and other defence operations.

The Proofpoint researchers said, “TA505 tends to operate at very large scale and sets trends among financially motivated actors because of their reach and campaign volumes. Our attribution is based on email messages, as well as payload and other identifying characteristics.”

Source, Image: Proofpoint

Related coverage

  • Cybercrime Crackdown: U.S. Captures Russian Trickbot Malware Developer
  • OCRFix: When Fake CAPTCHAs, AI, and Blockchains Collide to Build a Botnet
  • Attackers Hijack 360 Total Security to Deliver SSLoad
  • DOUBLELOADER Malware Uses ALCATRAZ Obfuscator to Evade Detection
  • Asyncshell: The Evolution of APT-K-47’s Cyber Arsenal
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: FlawedAmmyy RAT

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.