MalwareExploits 1 CVE

Belmoo

Belmoo is malware documented as exploiting CVE-2010-3765 in the wild in October 2010. The vulnerability is a memory corruption flaw in Mozilla Firefox 3.5.x through 3.5.14 and 3.6.x through 3.6.11, and is also described as affecting Thunderbird 3.x and SeaMonkey. Exploitation occurs when JavaScript is enabled and is related to nsCSSFrameConstructor::ContentAppended, the appendChild method, incorrect index tracking, and creation of multiple frames, resulting in remote code execution. The provided content does not describe Belmoo’s broader functionality, delivery mechanism, persistence, command-and-control, specific targets, associated threat actor, or industry focus beyond its use of this browser exploit. The primary high-confidence association is that Belmoo was observed exploiting this Firefox memory corruption vulnerability in the wild in October 2010.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES

CVE-2010-3765Remote Code Execution in Mozilla nsCSSFrameConstructor::ContentAppendedExploited in the wild

Exploited in the wild by the “Belmoo” malware. | CVE-2010-3765 (Mozilla Firefox, Thunderbird, SeaMonkey RCE) Memory corruption flaw in Mozilla Firefox (3.5.x–3.5.14, 3.6.x–3.6.11), Thunderbird (3.x), and SeaMonkey. Exploitable via JavaScript... Exploited in the wild by the “Belmoo” malware.

via cyberthronethecyberthrone.in

MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1203Exploitation for Client ExecutionEvidence1

"Exploitable via JavaScript, allowing remote attackers to execute arbitrary code..."; "...exploitable via malicious web pages"; "...via malicious font files in documents or web pages."

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

cyberthroneNews

Oct 7, 2025

CISA Adds 7 Actively Exploited Vulnerabilities to KEV Catalog

Exploited in the wild by the “Belmoo” malware.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.