Microsoft categorizes fixed Trident bug as zero day

“Specifically, the attackers used special Windows Internet shortcut files (with the .url extension) that, when clicked, launched the outdated Internet Explorer (IE) to visit the attacker-controlled URL,” Li explained in a Check Point Research report published in July.

The URLs were used to download a malicious HTA file and prompt the user to open it. Once opened, a script is executed to install the Atlantida info-stealer.

These HTA files also exploited CVE-2024-43461 to hide the HTA file extension and make it appear as a PDF when Windows asked users whether to open the file. Microsoft's fix allows Windows to display the actual .hta extension after application, thus warning users about the malicious download.