An Adobe Flash vulnerability that was fixed this week is being exploited in targeted drive-by downloads and spear phishing attacks.
Researchers at the all-volunteer Shadowserver Foundation first learned of the exploits on June 9, five days before Adobe issued a patch for the flaw.
"Virtually out of nowhere this just popped up," Shadowserver researcher Steven Adair said. "It has rapidly seemed to have made its way around."
The exploit has been embedded on a number of legitimate websites, including ones belonging to a Korean news outlet, a Taiwanese university, an Indian government agency, aerospace companies and various "non-government organisations" Adair said.
Users can be infected simply by visiting one of these compromised sites if they are running an out-of-date version of Flash in concert with a Windows machine.
The exploit also is spreading via spear phishing emails that contain lures attempting to persuade recipients to click on a malicious link that leads to a hacker-owned website hosting the exploit, Adair said.
The US-Taiwan Business Council, which helps develop trade relationships between the two countries, is just one organization that has received the socially engineered messages.
Because the attackers spreading this exploit seem to be picking on specific targets and are using customized payloads that are difficult to detect, they don't appear to be indiscriminate criminals, Adair said.
"It's looking more like APT (advanced persistent threat) activity," he said. "It doesn't look like they are mass blasting.
Adair said Flash attacks have been quite prevalent in recent months.
"What makes [this exploit] especially bad is it doesn't result in any crash," he said. "It all happens in the background. You can go about your business without seeing it happen."
An Adobe spokeswoman said the company is aware of the attacks underway.
"The only information we can provide is that there are reports that this vulnerability is being exploited in the wild in targeted attacks via malicious web pages," the company said. "We cannot disclose any specific information about customers targeted."