Russian Hackers Exploit Zero-Click Vulnerabilities in Windows and Firefox to Target Europe and U.S.
Security researchers at ESET have uncovered a sophisticated cyberattack campaign attributed to the Russian hacking group RomCom (also tracked as Storm-0978, Tropical Scorpius, or UNC2596), which leveraged two critical vulnerabilities to gain full remote control over targeted systems without requiring any user interaction.
The attack combined CVE-2024-9680, a flaw in Mozilla Firefox, Tor Browser, and Thunderbird, with CVE-2024-49039, a vulnerability in Windows’ Task Scheduler. Victims were lured to a malicious website, which exploited the Firefox flaw upon visit, creating a backdoor. The attackers then triggered the Windows vulnerability, executing a PowerShell process to deploy malware from a remote server. This "zero-click" technique allowed compromise without any user action, making detection particularly challenging.
The campaign primarily targeted Europe and the United States, with France among the hardest-hit nations. While the initial distribution method of the malicious link remains unclear, the infection process was nearly instantaneous once accessed.
Mozilla released patches for Firefox and Tor Browser on October 9, followed by Thunderbird on October 10 just 25 hours after being notified. Microsoft issued its fix for the Windows vulnerability on November 12. The swift response highlights the severity of the flaws, though the attack underscores the growing threat of zero-click exploits in cyber espionage.
Mozilla cybersecurity rating report: https://www.rankiteo.com/company/mozilla-corporation
"id": "MOZ1773865551",
"linkid": "mozilla-corporation",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'location': ['Europe', 'United States', 'France']}],
'attack_vector': ['Zero-click exploit', 'Malicious website'],
'description': 'Security researchers at ESET uncovered a sophisticated '
'cyberattack campaign attributed to the Russian hacking group '
'RomCom (also tracked as Storm-0978, Tropical Scorpius, or '
'UNC2596), which leveraged two critical vulnerabilities to '
'gain full remote control over targeted systems without '
'requiring any user interaction. The attack combined '
'CVE-2024-9680 (Firefox, Tor Browser, Thunderbird) and '
'CVE-2024-49039 (Windows Task Scheduler). Victims were lured '
'to a malicious website, which exploited the Firefox flaw upon '
'visit, creating a backdoor. The attackers then triggered the '
'Windows vulnerability, executing a PowerShell process to '
"deploy malware from a remote server. This 'zero-click' "
'technique allowed compromise without any user action.',
'impact': {'systems_affected': ['Windows systems',
'Firefox',
'Tor Browser',
'Thunderbird']},
'initial_access_broker': {'backdoors_established': 'PowerShell malware '
'deployment',
'entry_point': 'Malicious website'},
'motivation': 'Cyber espionage',
'post_incident_analysis': {'corrective_actions': ['Patching of CVE-2024-9680 '
'and CVE-2024-49039'],
'root_causes': ['Zero-click vulnerabilities in '
'Firefox and Windows Task '
'Scheduler']},
'references': [{'source': 'ESET'}],
'response': {'remediation_measures': ['Mozilla patches for Firefox, Tor '
'Browser, and Thunderbird',
'Microsoft patch for Windows Task '
'Scheduler'],
'third_party_assistance': 'ESET'},
'threat_actor': 'RomCom (Storm-0978, Tropical Scorpius, UNC2596)',
'title': 'Russian Hackers Exploit Zero-Click Vulnerabilities in Windows and '
'Firefox to Target Europe and U.S.',
'type': 'Cyber Espionage',
'vulnerability_exploited': ['CVE-2024-9680', 'CVE-2024-49039']}