Late last week, South Korea's CERT identified a use-after-free exploit that impacted Adobe Flash versions 184.108.40.206 and earlier and could allow for remote code execution across Windows, macOS, Linux, and Chrome OS.
Adobe said in a security bulletin it will fix the vulnerabilty in a release planned for this week.
"Adobe is aware of a report that an exploit for CVE-2018-4878 exists in the wild, and is being used in limited, targeted attacks against Windows users," the Flash maker said. "These attacks leverage Office documents with embedded malicious Flash content distributed via email.
"Successful exploitation could potentially allow an attacker to take control of the affected system."
Researchers at Cisco Talos said the payload downloaded by the Excel sheet was ROKRAT, and pinned the attack on Group 123.
"Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities -- they did use exploits in previous campaigns but never a net new exploit as they have done now," Talos researchers Warren Mercer and Paul Rascagneres wrote.
"Whilst Talos do not have any victim information related to this campaign we suspect the victim has been a very specific and high-value target. Utilizing a brand new exploit, previously not seen in the wild, displays they were very determined to ensure their attack worked."
FireEye said the group is suspected to be North Korean, and is known as TEMP.Reaper by the company.
"We have observed TEMP.Reaper operators directly interacting with their command and control infrastructure from IP addresses assigned to the STAR-KP network in Pyongyang," it said.
"Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base."
While Adobe suggests administrators could use Protected View for Office, and click to play behaviour for Flash, FireEye said it is likely other criminal and state actors will get in on the vulnerability until it is patched.
In July last year, Adobe said it will end-of-life Flash at the end of 2020, with Microsoft saying it would entirely remove Flash support from Windows on the same timeline.
Hackers race to use Flash exploit before vulnerable systems are patched
APT28 threat group is moving fast in the hope that targets haven't yet installed a recently released patch to fix the recently uncovered exploit
Sneaky malware disguises itself as an Adobe Flash Player installer
Researchers uncover an innocent software update that's really a cover for espionage.
Adobe patches 67 vulnerabilities in Flash, Reader
The round of patches fixes critical issues, many of which lead to remote code execution.
This fake Spectre/Meltdown patch will infect your PC with malware (TechRepublic)
The Smoke Loader malware is another example of attackers using the hype of a major vulnerability to target victims.
Businesses should update Adobe Flash immediately to avoid this exploit (TechRepublic)
Kaspersky Lab recently identified an Adobe Flash zero day exploit that has already been used in an attack in the wild.