EIP-2026-118380

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-118380. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit leverages Comodo Antivirus's x86 emulator shims to exfiltrate keystrokes and interact with system APIs (e.g., GetKeyState, SetCurrentDirectoryA) by embedding malicious DLLs in a ZIP archive. The emulator runs as NT AUTHORITY\SYSTEM, allowing arbitrary API calls to be passed through.

Description

Comodo AntiVirus - Forwards Emulated API Calls to the Real API During Scans

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textremotewindows

https://www.exploit-db.com/exploits/39599

View Code ZIP pw:eip

This exploit leverages Comodo Antivirus's x86 emulator shims to exfiltrate keystrokes and interact with system APIs (e.g., GetKeyState, SetCurrentDirectoryA) by embedding malicious DLLs in a ZIP archive. The emulator runs as NT AUTHORITY\SYSTEM, allowing arbitrary API calls to be passed through.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Moderate

Reliability

Reliable

Target: Comodo Antivirus (version unspecified)

No auth needed

Prerequisites: Victim must scan a malicious ZIP file containing the DLL · Attacker must host a WebDAV server to receive exfiltrated data

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1119 - Automated Collection T1041 - Exfiltration Over C2 Channel

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Comodo AntiVirus - Forwards Emulated API Calls to the Real API During Scans

Exploitation Summary

Description

Exploits (1)

Details