Multiple Windows, Adobe Zero-Days Anchor Knotweed Commercial Spyware

Microsoft flagged the company's Subzero tool set as on offer to unscrupulous governments and shady business interests.

A cyber-weapons broker dubbed Knotweed has been outed, with Microsoft flagging it as being behind numerous spyware attacks on law firms, banks, and strategic consultancies in countries around the world.

To boot, Knotweed has made a habit of incorporating rafts of Windows and Adobe zero-day exploits into its spyware since at least 2021, according to Microsoft.

Knotweed falls into a murky category of so-called "private sector offensive actors" (PSOAs, aka commercial spyware vendors) that hawk their wares to unscrupulous governments and business interests. These ultrasophisticated (and expensive) tools are often used against dissidents, journalists, and other members of civil society, but they've been known to enable straightforward corporate espionage too.

In the Shadows

The breed is best exemplified by the infamous NSO Group and Pegasus mobile spyware, but many others lurk in the shadows, Microsoft warned.

One such is Knotweed, which is an alias for an Austrian outfit called DSIRF. It's a company that, as Microsoft explained in a post on Wednesday, "ostensibly sells general security and information analysis services to commercial customers." But that's only part of the story, according to the computing giant.

"DSIRF has been linked to the development and attempted sale of a malware toolset called Subzero, which enables customers to hack into their targets' computers, phones, network infrastructure and internet-connected devices," according to the analysis.

The aforementioned Microsoft and Adobe bugs in the tool set (detailed in a technical breakdown) have been seen in recent cyberattacks against targets in Austria, Panama, and the United Kingdom. In addition to publishing software updates to plug the holes on a regular basis, Microsoft has also published a Subzero malware signature for defense.

More action is needed on a broader level, given that DSIRF will not be the last PSOA to come to light, as Microsoft researchers explained in a brief sent to Congress on Wednesday.

"We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms," according to the brief (PDF). "We welcome Congress's focus on the risks and abuses we all collectively face from the unscrupulous use of surveillance technologies and encourage regulation to limit their use both here in the United States and elsewhere around the world."

About the Author

Tara Seals, Managing Editor, News, Dark Reading

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights