A North Korean state-backed threat actor known as APT37 has exploited a zero-day vulnerability in the Internet Explorer browser to infect targets in South Korea with malware.

The said flaw (CVE-2022-41128) is a buffer overflow issue within the JScript9 engine in IE. A remote attacker can trick the victim into visiting a malicious website, trigger memory corruption and execute arbitrary code on the target system.

The vulnerability came to light in late October 2022, when Google’s Threat Analysis Group (TAG) noticed that multiple South Korean users began uploading a malicious Microsoft Office document to VirusTotal.

The document referenced the tragic incident in the neighborhood of Itaewon, in Seoul, South Korea during Halloween celebrations on October 29, 2022, when more than a hundred people were killed. Upon investigation, TAG observed the attackers abused a zero-day vulnerability in the JScript engine of Internet Explorer. The team notified Microsoft about the vulnerability and it was fixed as part of the November 2022 Patch Tuesday release.

The researchers said they weren’t able to identify the final payload the attackers delivered in this campaign, but noted that previously APT37 was observed deploying a variety of malware families like Rokrat, BlueLight, and Dolphin on the infected systems.