1 malware familyExploits CVEs in the wild

SPIVY

Also known asSPIVY

SPIVY is a threat cluster label used for spear-phishing activity observed in March and April 2016 targeting organizations in Hong Kong. The activity used emails carrying exploits for CVE-2015-2545, a Microsoft Office EPS parsing vulnerability, and employed a new variant of PoisonIvy, from which the name SPIVY is derived. Based on the provided content, SPIVY is associated with targeted email delivery and PoisonIvy malware use. No additional high-confidence attribution, nation-state linkage, sub-groups, or alternate aliases beyond "spivy" are directly provided in the source content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen

Poison IvyIn March and April 2016, a series of emails laced with an exploit for CVE-2015-2545 were detected... they used a new variant of a widely available backdoor known as PoisonIvy (from which the name of the group, SPIVY, is derived).1Mar 18, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2015-2545Microsoft Office Malformed EPS File VulnerabilityIn the wildEvidence1

CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099... enables an attacker to execute arbitrary code using a specially crafted EPS image file... exploited in the wild in August 2015... used in targeted attack by the Platinum group.

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

securelistNews

May 25, 2016

CVE-2015-2545: overview of current threats

Cluster defined by use of a PoisonIvy RAT variant delivered via spear-phishing emails exploiting CVE-2015-2545, assessed to target Hong Kong organizations.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.