HighPublic exploit

DLL Hijacking in Yandex Browser for Desktop

IdentifiersCVE-2024-6473CWE-426· Untrusted Search Path

CVE-2024-6473 is a DLL hijacking vulnerability in Yandex Browser for Desktop before version 24.7.1.380. The product uses an untrusted search path when loading DLLs, allowing a malicious library to be loaded instead of the intended legitimate one. The provided content specifically states that the issue was exploited by replacing a legitimate DLL such as Wldp.dll, and separately references related tradecraft involving replacement of winsta.dll in a DLL hijacking chain. In practical terms, if an attacker can place a crafted DLL in a location searched before the trusted system path, execution of the browser or a related launched component can cause the attacker-controlled DLL to be loaded and executed in the context of the affected process.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution in the security context of the user running Yandex Browser or the affected process. This enables malware delivery and loader execution, and can be used to establish persistence, deploy backdoors, and continue post-compromise activity. The supporting content links this vulnerability to real-world intrusion activity targeting Russian organizations, where DLL hijacking was used as part of a malware deployment chain.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, restrict write access to directories from which Yandex Browser or related components may load DLLs, monitor for unexpected DLLs placed alongside executables, and use application control or EDR detections to block suspicious DLL side-loading behavior. Additional defensive measures include hardening user-writable paths, monitoring for anomalous child process execution from the browser, and investigating unexpected loads of libraries such as Wldp.dll from non-standard locations.

Remediation

Patch, then assume compromise.

Upgrade Yandex Browser for Desktop to version 24.7.1.380 or later, as the vulnerability is described as affecting versions before 24.7.1.380. Ensure the application no longer loads DLLs from untrusted search paths. Where possible, review vendor guidance for the fixed release and validate that only trusted, fully qualified DLL load paths are used in the environment.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app

CVE-2024-6473-PoCMaturityPoCVerified exploit

This repository is a proof-of-concept (PoC) exploit for CVE-2024-6473, a DLL hijacking vulnerability in Yandex Browser for Desktop (before version 24.7.1.380). The exploit consists of a Visual Studio C++ project that builds a DLL. When this DLL is placed in the Yandex Browser application directory (%LOCALAPPDATA%\Yandex\YandexBrowser\Application) and the browser is started, the browser loads the DLL due to an untrusted search path. The DLL's entry point (DllMain) executes a payload that spawns a command prompt (cmd.exe) and then terminates the process, demonstrating arbitrary code execution. The repository includes build files, a module definition file exporting several functions as stubs, and a README with detailed usage instructions and references. The attack vector is local, requiring the attacker to place the DLL on the victim's machine. No network endpoints are involved, but the exploit is fingerprintable by the required file paths and the use of cmd.exe.

12345qwert123456Disclosed Nov 2, 2024c++local

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

YandexYandex Browserapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

vulnuNews

Jun 20, 2025

🎓️ Vulnerable U | #121

A Yandex Browser DLL hijacking vulnerability referenced as previously exploited in targeted attacks (rail freight industry).

the hacker newsNews

Jun 17, 2025

Google Chrome Zero-Day CVE-2025-2783 Exploited by TaxOff to Deploy Trinper Backdoor

A DLL hijacking vulnerability in Yandex Browser that was exploited as a zero-day to download and execute malware.

ptsecurity globalNews

Jun 16, 2025

Team46 and TaxOff: two sides of the same coin

A DLL hijacking vulnerability in Yandex Browser abused by replacing a legitimate DLL (Wldp.dll) to execute a malicious payload.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity