​Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America.

The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it.

The second zero-day exploited in this campaign is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12.

RomCom abused the two vulnerabilities as a zero-day chain exploit, which helped them gain remote code execution without requiring user interaction. Their targets only had to visit an attacker-controlled and maliciously crafted website that downloaded and executed the RomCom backdoor on their system.

Based on the name of one o…