As a member of .HR GovCERT, we are involved into all major government related incidents, including state-sponsored APT attacks. In this talk I would like to present the technical analysis of one recent APT incident. During the incident analysis, we have encountered two different (though connected) campaigns against government users, where several 0-day exploits (Word+Flash) have been used. As in majority of incidents (even state-sponsored) typical “”phishing”” attack vectors are used (e.g. Word Macros or malicious attachment), we were quite astonished to get our hands on such malicious samples for analysis. As the analysis has been an unique experience, I believe that the audience will have a chance to learn a thing or two from the presented material. p.s. I’ll try to obfuscate the non-technical details as much as possible because of the sensitivity of the incident