VERY IMPORTANT

Microsoft Threat Intelligence analyzed a custom tool called GooseEgg used by the Russian-based threat actor Forest Blizzard (STRONTIUM) to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler service. The tool modifies a JavaScript constraints file and executes it with SYSTEM-level permissions, allowing the threat actor to spawn other applications and gain elevated privileges for further malicious activities. Microsoft observed Forest Blizzard using GooseEgg in post-compromise activities against government, non-governmental, education, and transportation sector organizations in multiple regions since at least June 2020.