Recent Cases of Watering Hole Attacks, Part 1

JPCERT/CC documents a 2023 watering-hole campaign that compromised a university research lab website to display a fake Adobe Flash Player update and trick users into downloading FlashUpdateInstall.exe; the dropper displays a decoy document while creating system32.dll which is injected into Explorer (Early Bird Injection) to run a Cobalt Strike Beacon (v4.5, watermark '666666'). The report includes C2 domains hosted on Cloudflare Workers, multiple malware hashes, Cobalt Strike configuration and observed anti-analysis/AV termination behaviors, providing actionable IOCs and TTPs for detection and mitigation.