CVE-2019-16098
published 2019-09-11CVE-2019-16098: The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory…
PriorityP183high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
18.19%
96.8th percentile
The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msi | afterburner | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect presence of RTCore64.sys or RTCore32.sys (MSI Afterburner vulnerable driver) loaded on systems where MSI Afterburner is not legitimately installed — indicates Bring-Your-Own Vulnerable Driver (BYOVD) abuse of CVE-2019-16098. ↗
- →Monitor for IOCTL requests sent to RTCore64.sys that modify HANDLE_TABLE_ENTRY.GrantedAccessBits to PROCESS_ALL_ACCESS (0x1fffff) — characteristic of ProcBurner tool abusing CVE-2019-16098 to kill protected processes. ↗
- →Alert on OpenProcess calls using PROCESS_QUERY_LIMITED_INFORMATION (0x1000) against security product processes, followed by driver IOCTL activity — consistent with ProcBurner's workflow to escalate handle access via RTCore64.sys. ↗
- →Hunt for the signed but outdated RTCore64.sys being dropped and loaded on endpoints — the valid signature allows it to bypass Microsoft driver-signing policy while still being exploitable via CVE-2019-16098. ↗
- ·The vulnerable RTCore64.sys carries a valid Microsoft-accepted signature despite being exploitable; signature-based driver allowlisting alone will not block its abuse — version and hash checks are required. ↗
- ·CVE-2019-16098 grants arbitrary kernel read/write to any authenticated user, meaning exploitation does not require administrator privileges at the point of IOCTL invocation — lower-privilege detections are still relevant. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pgj3-5w38-pg9m: The driver in Micro-Star MSI Afterburner 4
ghsa_unreviewed·2022-05-24
CVE-2019-16098 [HIGH] CWE-125 GHSA-pgj3-5w38-pg9m: The driver in Micro-Star MSI Afterburner 4
The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
VulnCheck
msi afterburner Out-of-bounds Read
vulncheck·2019·CVSS 7.8
CVE-2019-16098 [HIGH] msi afterburner Out-of-bounds Read
msi afterburner Out-of-bounds Read
The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, I/O ports, and MSRs. This can be exploited for privilege escalation, code execution under high privileges, and information disclosure. These signed drivers can also be used to bypass the Microsoft driver-signing policy to deploy malicious code.
Affected: msi afterburner
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/; https://thehackernews.com/2022/10/blackby
No detection rules found.
No public exploits indexed.
Trendmicro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
blogs_trendmicro·2022-11-09
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
APT & attacchi mirati
## Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
By: Hara Hiroaki, Ted Lee Nov 09, 2022 Read time: ( words)
Save to Folio
In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this att
Trendmicro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
blogs_trendmicro·2022-11-09
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
APT und gezielte Angriffe
## Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
By: Hara Hiroaki, Ted Lee Nov 09, 2022 Read time: ( words)
Save to Folio
In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this
Trendmicro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
blogs_trendmicro·2022-11-09
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
APT & Targeted Attacks
# Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
By: Hara Hiroaki, Ted Lee
Nov 09, 2022
Read time: ( words)
Save to Folio
In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this at
Trendmicro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
blogs_trendmicro·2022-11-09
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
APT & Targeted Attacks
## Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
By: Hara Hiroaki, Ted Lee 2022/11/09 Read time: ( words)
Save to Folio
In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this atta
Trendmicro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
blogs_trendmicro·2022-11-09
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
APT & Targeted Attacks
# Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
By: Hara Hiroaki, Ted Lee
2022/11/09
Read time: ( words)
Save to Folio
In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this atta
Trendmicro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
blogs_trendmicro·2022-11-09
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
APT y ataques dirigidos
## Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
By: Hara Hiroaki, Ted Lee Nov 09, 2022 Read time: ( words)
Save to Folio
In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this a
Trendmicro
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
blogs_trendmicro·2022-11-09
Hack the Real Box: APT41’s New Subgroup Earth Longzhi
APT & Targeted Attacks
## Hack the Real Box: APT41’s New Subgroup Earth Longzhi
We looked into the campaigns deployed by a new subgroup of advanced persistent threat (APT) group APT41, Earth Longzhi. This entry breaks down the technical details of the campaigns in full as presented at HITCON PEACE 2022 in August.
By: Hara Hiroaki, Ted Lee Nov 09, 2022 Read time: ( words)
Save to Folio
In early 2022, we investigated an incident that compromised a company in Taiwan. The malware used in the incident was a simple but custom Cobalt Strike loader. After further investigation, however, we found incidents targeting multiple regions using a similar Cobalt Strike loader. While analyzing code similarities and tactics, techniques, and procedures (TTPs), we discovered that the actor behind this at
arXiv
Plug. Play. Persist. Inside a Ready-to-Go Havoc C2 Infrastructure
arxiv_fulltext·2025-06-30·CVSS 9.8
[CRITICAL] Plug. Play. Persist. Inside a Ready-to-Go Havoc C2 Infrastructure
titlepage
*1cm
Plug. Play. Persist. Inside a Ready-to-Go Havoc C2 Infrastructure \ 1cm]
Alessio Di Santo ([email protected])
Università degli Studi dell’Aquila, L’Aquila, Abruzzo, Italy
Date: July 1,2025
!60 "Non videmus ea quae mox futura sunt" \ 0.5cm]
!60(We do not see the things that will soon be) — Marcus Tullius Cicero
titlepage
## Executive Summary
This analysis focuses on a single Azure-hosted Virtual Machine at 52.230.23[.]114 that the adversary converted into an all-in-one delivery, staging and Command-and-Control node. The host advertises an out-of-date Apache 2.4.52 instance whose open directory exposes phishing lures, PowerShell loaders, Reflective Shell-Code, compiled Havoc Demon implants and a toolbox of lateral-movement binaries; the same server als
2019-09-11
Published
Exploited in the wild