CVE-2024-6473
published 2024-09-03CVE-2024-6473: Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
PriorityP275high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.72%
49.1th percentile
Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| yandex | browser | < 24.7.1.380 | 24.7.1.380 |
| yandex | yandex_browser | < 24.7.1.380 | 24.7.1.380 |
Detection & IOCsextracted from sources · hover to see the quote
filenamewinsta.dll
- →Detect DLL hijacking via untrusted search path in Yandex Browser for Desktop — monitor for unexpected DLL loads (e.g., winsta.dll) from non-standard or user-writable directories in the Yandex Browser process context. ↗
- →Hunt for machine-specific decryption keying using firmware UUID — payloads are decrypted using the host's firmware UUID as an environmental guardrail, making sandbox detonation ineffective; look for WMI or registry queries for firmware UUID in loader processes.
- →Detect AMSI bypass attempts and debugger evasion techniques in PowerShell or .NET loader processes associated with Yandex Browser exploitation chains.
- →Monitor for HTTPS C2 traffic using domain fronting to CDN-mimicking domains matching the pattern ms-appdata-*.global.ssl.fastly.net, associated with the Trinper backdoor.
- →Correlate spearphishing emails disguised as forum invitations or service notifications with subsequent Yandex Browser process anomalies (unexpected child processes, DLL side-loading) as initial access indicators for Team46/TaxOff.
- →Hunt for identical PowerShell patterns shared between TaxOff and Team46 operations as a pivoting indicator across intrusions attributed to this threat actor.
- →Monitor for Trinper backdoor behaviors: keylogging, clipboard theft, file/process discovery activity originating from processes spawned under or related to Yandex Browser.
- ·The DLL hijacking vulnerability affects only Yandex Browser for Desktop versions prior to 24.7.1.380; patched versions are not affected. ↗
- ·The domain pattern ms-appdata-*.global.ssl.fastly.net is a wildcard CDN-mimicking pattern; blocking it broadly may impact legitimate Fastly-hosted services — scope detections carefully.
- ·Environmental guardrails using firmware UUID mean payloads will not execute outside the targeted host, limiting dynamic analysis effectiveness in sandboxes.
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.08.4HIGHCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p7m8-prjf-m93h: Yandex Browser for Desktop before 24
ghsa_unreviewed·2024-09-03
CVE-2024-6473 [HIGH] CWE-426 GHSA-p7m8-prjf-m93h: Yandex Browser for Desktop before 24
Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
VulnCheck
yandex yandex_browser Untrusted Search Path
vulncheck·2024·CVSS 8.4
CVE-2024-6473 [HIGH] yandex yandex_browser Untrusted Search Path
yandex yandex_browser Untrusted Search Path
Yandex Browser for Desktop before 24.7.1.380 has a DLL Hijacking Vulnerability because an untrusted search path is used.
Affected: yandex yandex_browser
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://st.drweb.com/static/new-www/news/2024/september/Study_of_a_targeted_attack_on_a_Russian_rail_freight_operator_en.pdf; https://news.drweb.com/show/review/?lng=en&i=14965; https://ptsecurity.com/ru-ru/research/analytics/russia-cyberthreat-landscape-2026/#id11
No detection rules found.
No public exploits indexed.
Threat Intel
Team46
threat_intel·CVSS 8.4
CVE-2025-2783 [HIGH] Team46
# Threat Actor: Team46
## Description
Team46 is a sophisticated APT group active since at least late 2024, targeting Russian government, academic, and media organizations through spearphishing emails disguised as forum invitations or service notifications. They exploit zero-day vulnerabilities like CVE-2025-2783 in Google Chrome (March 2025, Operation ForumTroll) and CVE-2024-6473 in Yandex Browser, deploying multi-stage loaders (e.g., winsta.dll, donut shellcode) that decrypt payloads using machine-specific keys like firmware UUID for environmental guardrails. Key malware includes the Trinper backdoor for keylogging, clipboard theft, file/process discovery, and encrypted C2 exfiltration over HTTPS with domain fronting, alongside auxiliary .NET tools (dirlist.exe, ProcessList.exe) and var
2024-09-03
Published
Exploited in the wild