title: Windows MSHTML Spoofing via .url File Phishing (Void Banshee) (CVE-2024-38112)
id: df00tech-cve-2024-38112
status: experimental
description: "CVE-2024-38112 is a high-severity (CVSS 7.5) spoofing vulnerability in the Windows MSHTML Platform. Threat actors crafted malicious .url files that, when opened, invoke Internet Explorer's MSHTML engine via the mhtml: URI handler — even on systems where IE is disabled or removed. This allowed attackers to bypass modern browser security controls and render attacker-controlled HTML/JavaScript content, leading to code execution or credential phishing. The vulnerability was actively exploited by the APT group Void Banshee as a zero-day to deliver infostealer malware (Atlantida Stealer) targeting North American and European organisations. CISA added this to the KEV catalog with a remediation deadline of July 30, 2024."
references:
  - https://attack.mitre.org/techniques/CVE-2024-38112/
  - https://df00tech.com/detections/CVE-2024-38112
author: df00tech
date: 2026/04/22
tags:
  - attack.cve-2024-38112
  - cve.2024-38112
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate use of mhtml: links in enterprise applications built on MSHTML components"
  - Old intranet applications requiring IE rendering mode (consider explicit allowlist of known URLs)
  - IT testing of legacy IE-dependent applications
level: high