The use of zero-day exploits is strongly characteristic of APT campaigns; we saw this scenario repeating over and over again in the last 5 years. As a result, examining data related to zero-day or recently patched vulnerabilities offers an opportunity to identify those campaigns. In March 2014, Microsoft announced that a vulnerability in Microsoft Word later identified as CVE-2014-1761 was being exploited in the wild. We collected and analyzed exploit files and their associated payload during the time window when it was still unpatched and the details of the vulnerability were not yet publicly available. This revealed the presence of APT campaigns which have been under the spotlight in the last years: MiniDuke and Ixeshe. In this paper, we will first look at the various exploit documents for CVE-2014-1761. The authors will focus on the implementation details including ROP code, tricks to bypass security software as well as highlight some interesting similarities and differences in the exploits structure. Then we will look at the recent targets of these campaigns based on telemetry data and sinkholing efforts, respectively European government and civil society organizations in the case of MiniDuke and Taiwanese government and universities for Ixeshe. Finally we will examine the evolution of the malware components since their last recorded activity, focusing on their respective methods to evade detection and C&C communication mechanisms as well as provide indicators of compromise (IOC) to help with the identification and remediation of those threats.