Recently, 360 Core Security Division’s Advanced Threat Response Team has also discovered the use of several vbscript vulnerabilities in the wild. These include CVE-2016-0189, CVE-2018-8373 and another previously unknown vulnerability (we have not yet determined its cve number). These three vulnerabilities, plus the CVE-2018-8174 we discovered in April this year, a total of four vbscript in the wild. After analysis, we found that the confusion and utilization of these four files are highly consistent. We suspect that there is a writer (or team) behind it, and have been exploiting the 0day exploit of vbscript and used it for attack.