Morphisec analyzed exploitation of Adobe Flash CVE-2018-4878 after Adobe patched the zero-day in February 2018. The exploit used a decrypted Flash wrapper for 32-bit and 64-bit browsers, triggered a use-after-free condition in a DRM object, manipulated an array for process-memory read and write access, and used VirtualProtect and CreateProcessA to run shellcode. The post-exploitation chain created cmd.exe, injected shellcode with CreateRemoteThread, then downloaded and executed a remote access Trojan from C2. Morphisec attributed the activity to Group123, also known as TEMP.Reaper, and warned that the bug could be adapted into wider exploit-kit use.