返回 TI 主页
Foxmail official thanks! APT-Q-12 exploits high-risk vulnerabilities in email clients to target domestic corporate users

By 红雨滴团队 | 事件追踪

Overview

The RedDrip team of Qi'anxin Threat Intelligence Center observed abnormal behavior in the customer's network during the threat intelligence hunting process in early 2025, and assisted in the emergency response by tracing back to the source of the initial email attack and extracting the relevant emails, and the analysis showed that the attackers combined to exploit the high-risk vulnerabilities existing in the Foxmail client (QVD-2025-13936), and that the victim could trigger remote command execution by simply clicking on the emails themselves. The victim only need to click on the email itself can trigger remote command execution, and ultimately execute the landing of the Trojan horse. The Intelligence Center first reproduced and confirmed the discovered new vulnerability, and reported it to Tencent Foxmail business team. The vulnerability has now been fixed and the latest version of Foxmail 7.2.25 (2025-03-28) is unaffected, with thanks from the Foxmail team.

Qi'anxin Threat Intelligence Center strongly recommends Foxmail users to update their software to the latest version to avoid being attacked by the exploitation of the vulnerability. Currently, ASRock V10 Advanced Threat Module can support the blocking of this vulnerability, and it is recommended for ASRock customers to deploy ASRock in the office area and the server area at the same time, and turn on the cloud checking function to protect against the unknown threats:


Technical details

The technique used in this attack is a continuation of our previously disclosed Operation DevilTiger[1] operation, and the combination of the Web vulnerability+ and the built-in browser vulnerability to achieve remote command execution is still the most aggressive breakout operation for clients of this type of CEF software:

In this event APT-Q-12 uses a brand new TEMA written in the Rust language with file uploading, cmd execution, file reading, ssh tunneling and more:


Detection

Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.


IOC

not available at this time


Reference Links

[1]. https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-cn/

APT VULNERABILITIES
首页
Foxmail official thanks! APT-Q-12 exploits high-risk vulnerabilities in email clients to target domestic corporate users