Tag: exploit

23 Attack Reports | 0 Vulnerabilities

Attack reports

The Mystery OAST Host Behind a Regionally Focused Exploit Operation

A long-running, attacker-operated OAST service on Google Cloud has been observed driving a focused exploit operation. The actor combines stock Nuclei templates with custom payloads to expand their reach. All observed activity targeted canaries deployed in Brazil, indicating a deliberate regional fo…
exploit
brazil
google cloud
CVE-2025-4428
CVE-2025-2611
2025-11-28
oast
fastjson
regional targeting
nuclei
scanning infrastructure
Published: November 28, 2025
Linked vulnerabilities : CVE-2025-4428, CVE-2025-2611 (CVSS 9.3)
Downloadable IOCs: 9

RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits

The RondoDox botnet has undergone a significant evolution, expanding its capabilities and target range. This new variant, RondoDox v2, demonstrates a 650% increase in exploitation vectors, moving beyond niche DVR targeting to include enterprise applications. Key features include over 75 exploitatio…
obfuscation
exploit
persistence
ddos
iot
botnet
CVE-2015-2051
enterprise
CVE-2018-10561
CVE-2021-41773
CVE-2024-7029
CVE-2024-10914
CVE-2023-1389
CVE-2017-18368
CVE-2024-12856
CVE-2024-12847
CVE-2025-22905
CVE-2023-26801
CVE-2023-52163
CVE-2025-1829
CVE-2025-4008
CVE-2025-5504
CVE-2024-3721
CVE-2025-34037
rondodox
CVE-2022-44149
2025-11-10
CVE-2019-16920
CVE-2025-7414
CVE-2023-47565
CVE-2016-6277
CVE-2022-37129
CVE-2022-36553
CVE-2014-1635
CVE-2018-11714
CVE-2017-18369
CVE-2020-10987
multi-architecture
CVE-2021-42013
CVE-2023-25280
command-injection
CVE-2023-51833
CVE-2014-6271
CVE-2020-27867
CVE-2020-25506
Published: November 10, 2025
Linked vulnerabilities : CVE-2024-7029 (CVSS 8.8), CVE-2024-10914 (CVSS 8.1), CVE-2024-12856 (CVSS 7.2), CVE-2024-12847 (CVSS 9.8), CVE-2025-22905 (CVSS 9.8), CVE-2023-52163 (CVSS 5.9), CVE-2025-1829 (CVSS 6.3), CVE-2015-2051, CVE-2021-41773, CVE-2017-10271, CVE-2018-10561, CVE-2023-1389, CVE-2017-18368, CVE-2025-4008 (CVSS 9.4), CVE-2025-5504 (CVSS 5.3), CVE-2024-3721, CVE-2025-34037 (CVSS 10.0), CVE-2022-44149, CVE-2022-37129, CVE-2022-36553, CVE-2020-27867, CVE-2018-11714, CVE-2017-18369, CVE-2014-1635, CVE-2025-7414, CVE-2020-25506, CVE-2020-10987, CVE-2023-47565, CVE-2023-25280, CVE-2021-42013, CVE-2014-6271, CVE-2019-16920, CVE-2016-6277, CVE-2023-26801, CVE-2023-51833
Downloadable IOCs: 20

Blog Anatomy of a Hacktivist Attack: Russian-Aligned Group Targets OT/ICS

Forescout honeypot caught hacktivist activity targeting a decoy water treatment plant in Sept. 2025. A Russian-aligned group, TwoNet, claimed responsibility for the attack. The group logged into the human-machine interface (HMI) for: defacement, process disruption, manipulation, and evasion.
exploit
ransomware
russian
raas
hacktivist
defacement
2025-10-10
twonet
human-machine interface
overflame
modbus
megamedusa
Published: October 10, 2025
Downloadable IOCs: 10

Attackers Actively Exploiting Critical Vulnerability in Service Finder Bookings Plugin

On June 8th, 2025, we received a submission through our Bug Bounty Program for an Authentication Bypass vulnerability in Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. This theme has been sold to approximately 6,000 customers. This vulnerability makes it possible…
exploit
vulnerability
wordpress
authentication bypass
2025-10-09
wordfence
service finder bookings
service finder
Published: October 9, 2025
Downloadable IOCs: 5

CVE-2025-31324: Critical SAP Vulnerability & How to Protect Your Enterprise

A critical remote code execution vulnerability (CVE-2025-31324) affects SAP NetWeaver Development Server, allowing attackers to upload malicious files through the metadatauploader endpoint. This vulnerability enables unauthenticated remote code execution, potentially leading to enterprise network c…
exploit
vulnerability
remote code execution
auto-color
CVE-2025-31324
2025-09-10
netweaver
metadatauploader
sap
Published: September 10, 2025
Downloadable IOCs: 4

Dissecting RapperBot Botnet: From Infection to DDoS & More

This report details the analysis of RapperBot, a sophisticated botnet targeting IoT devices, particularly Network Video Recorders (NVRs). The malware exploits vulnerabilities in these devices to create a large-scale DDoS infrastructure. The analysis covers the botnet's infection process, command an…
exploit
dns
encryption
ddos
iot
botnet
infrastructure
2025-09-03
nvr
rapperbot
Published: September 3, 2025
Downloadable IOCs: 84

CVE-2017-11882 Will Never Die

The report discusses the persistent exploitation of CVE-2017-11882, a remote code execution vulnerability affecting Microsoft Office's Equation Editor. Despite being an old vulnerability, it continues to be used by attackers to spread modern malware. The analysis focuses on a malicious Excel file t…
obfuscation
exploit
CVE-2017-11882
keylogger
microsoft office
vipkeylogger
2025-08-13
equation editor
Published: August 13, 2025
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 6

Update WinRAR tools now: RomCom and others exploiting zero-day vulnerability

A zero-day vulnerability in WinRAR, CVE-2025-8088, has been discovered being exploited in the wild by the Russia-aligned group RomCom. The vulnerability allows attackers to hide malicious files in archives, which are silently deployed when extracted. The exploit was used in spearphishing campaigns …
backdoor
exploit
spearphishing
vulnerability
zero-day
mythic
winrar
snipbot
rustyclaw
russia-aligned
2025-08-11
CVE-2025-8088
Published: August 11, 2025
Linked vulnerabilities : CVE-2023-36884, CVE-2025-8088
Downloadable IOCs: 9

Keys to the Kingdom: Erlang/OTP SSH Vulnerability Analysis and Exploits Observed in the Wild

A critical vulnerability (CVE-2025-32433) in Erlang/OTP's SSH daemon allows unauthenticated remote code execution, affecting critical infrastructure and operational technology networks. With a CVSS score of 10.0, it enables command execution by sending SSH connection protocol messages to open ports…
exploit
vulnerability
ssh
remote code execution
critical infrastructure
CVE-2025-32433
2025-08-11
erlang/otp
operational technology
Published: August 11, 2025
Linked vulnerabilities : CVE-2025-32433 (CVSS 10.0)
Downloadable IOCs: 2

Large-scale exploitation of new SharePoint RCE vulnerability chain identified

A new SharePoint remote code execution vulnerability chain, later named CVE-2025-53770 and CVE-2025-53771 by Microsoft, was discovered being exploited in the wild. The exploitation affected on-premise SharePoint Servers globally, with dozens of systems compromised during two attack waves on July 18…
exploit
vulnerability
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
Published: July 21, 2025
Linked vulnerabilities : CVE-2025-53770 (CVSS 9.8), CVE-2025-53771 (CVSS 7.1)
Downloadable IOCs: 4

Toolshell: Large-scale exploitation of new SharePoint RCE vulnerability chain identified

This pulse highlights an ongoing mass exploitation campaign targeting on-premises Microsoft SharePoint servers using a newly disclosed remote code execution (RCE) chain dubbed ToolShell. Discovered on July 18, 2025, by Eye Security, the attack chain is now tracked as CVE-2025-53770 and CVE-2025-537…
exploit
vulnerability
webshell
sharepoint
rce
CVE-2025-53770
CVE-2025-53771
2025-07-21
on-premise
toolshell
Published: July 21, 2025
Downloadable IOCs: 0

Apache Under the Lens: Tomcat's Partial PUT and Camel's Header Hijack

In March 2025, Apache disclosed three critical vulnerabilities: CVE-2025-24813 in Apache Tomcat and CVE-2025-27636 and CVE-2025-29891 in Apache Camel. These flaws allow remote code execution, affecting millions of developers. The Tomcat vulnerability exploits partial PUT requests and session persis…
exploit
vulnerability
apache
remote code execution
CVE-2025-27636
CVE-2025-24813
CVE-2025-29891
2025-07-03
tomcat
Published: July 3, 2025
Linked vulnerabilities : CVE-2024-1182 (CVSS 7.0), CVE-2024-7587 (CVSS 7.8), CVE-2024-0012 (CVSS 9.8), CVE-2024-9474 (CVSS 7.2), CVE-2024-8299 (CVSS 7.8), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2024-53870 (CVSS 3.3), CVE-2025-27636 (CVSS 5.6), CVE-2025-24813 (CVSS 9.8), CVE-2025-29891 (CVSS 4.2), CVE-2025-31324 (CVSS 10.0)
Downloadable IOCs: 23

Windows Shortcut (LNK) Malware Strategies

This article provides an in-depth analysis of Windows shortcut (LNK) file malware, based on the examination of 30,000 recent samples. The research reveals four main categories of LNK malware: exploit execution, file on disk execution, in-argument scripts execution, and overlay execution. Each techn…
exploit
windows
lnk files
shortcut
2025-07-02
execution techniques
Published: July 2, 2025
Linked vulnerabilities : CVE-2023-36884, CVE-2010-2568
Downloadable IOCs: 12

Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet

An active campaign is exploiting CVE-2025-3248, a critical vulnerability in Langflow versions before 1.3.0, to deliver the Flodrix botnet. Attackers use the flaw to execute downloader scripts on compromised servers, which then fetch and install the Flodrix malware. The vulnerability allows full sys…
exploit
ddos
botnet
rce
CVE-2025-3248
2025-06-18
flodrix
langflow
Published: June 18, 2025
Downloadable IOCs: 41

Negative Exposure: Edimax Network Cameras Used to Spread Mirai

The Akamai Security Intelligence and Response Team (SIRT) has identified a critical command injection vulnerability, CVE-2025-1316, in Edimax IC-7100 IP cameras. This flaw allows attackers to execute arbitrary commands remotely, leading to the integration of these devices into Mirai-based botnets. …
malware
exploit
botnet
mirai
sha256
2025-03-17
sha256 hash
Published: March 17, 2025
Downloadable IOCs: 28

Mirai Bot now incorporating (malformed?) DrayTek Vigor Router Exploits

A report details the incorporation of exploits targeting DrayTek Vigor routers into the Mirai botnet. Previously disclosed vulnerabilities affecting approximately 700,000 devices are being exploited, with attacks focusing on the 'keyPath' and 'cvmcfgupload' parameters. A curious spike in malformed …
exploit
vulnerability
iot
botnet
router
mirai
firmware
2025-03-17
vigor
draytek
Published: March 17, 2025
Downloadable IOCs: 3

Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor

A sophisticated breach was identified where threat actors exploited vulnerabilities in SimpleHelp's Remote Monitoring and Management client to infiltrate a network. The attack involved post-compromise tactics including network discovery, administrator account creation, and persistence establishment…
backdoor
exploit
rmm
sliver
lateral movement
akira
cloudflared
2025-02-07
simplehelp
Published: February 7, 2025
Downloadable IOCs: 6

Lazarus APT steals cryptocurrency and user data via a decoy MOBA game

Lazarus APT launched a sophisticated attack campaign using a decoy MOBA game website to exploit a zero-day vulnerability in Google Chrome. The exploit allowed remote code execution and bypassed the V8 sandbox. The attackers used social engineering tactics on social media to promote the fake game, w…
apt
exploit
social engineering
cryptocurrency
zero-day
CVE-2024-4947
2024-10-23
google chrome
manuscrypt
game
v8 sandbox
Published: October 23, 2024
Linked vulnerabilities : CVE-2024-4947
Downloadable IOCs: 2

Cursed tapes: Exploiting the EvilVideo vulnerability on Telegram for Android

ESET researchers discovered a vulnerability named EvilVideo that allows attackers to share malicious Android payloads disguised as video files through Telegram for Android. The exploit makes the malicious files appear as multimedia content, tricking users into installing malware. The vulnerability …
malware
exploit
android
vulnerability
telegram
2024-07-23
android/spy.spymax.t
Published: July 23, 2024
Downloadable IOCs: 1

Attack Case against HFS (HTTP File Server) Server (Suspected CVE-2024-23692)

A remote code execution vulnerability (CVE-2024-23692) in the HFS (HTTP File Server) program has allowed attackers to execute malicious commands on vulnerable systems. Various attack cases exploiting this vulnerability have been observed, leading to the installation of malware such as coin miners, …
backdoor
exploit
rat
xmrig
vulnerability
plugx
gh0strat
CVE-2024-23692
cobaltstrike
korplug
destroyrat
xenorat
2024-07-03
gothief
Published: July 3, 2024
Linked vulnerabilities : CVE-2024-23692 (CVSS 9.8)
Downloadable IOCs: 14

Update: CVE-2024-4577 quickly weaponized to distribute Ransomware

The report describes an attack campaign leveraging the CVE-2024-4577 vulnerability to deliver the "TellYouThePass" ransomware. The attackers use the vulnerability to execute arbitrary PHP code and run a malicious HTML application that loads a .NET variant of the ransomware into memory. Upon executi…
exploit
ransomware
encryption
CVE-2024-4577
2024-06-11
tellyouthepass
infection
Published: June 11, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-44228, CVE-2024-3577, CVE-2023-22524, CVE-2023-46604
Downloadable IOCs: 5

LightSpy: Implant for macOS

A technical analysis reveals details about LightSpy, a sophisticated surveillance framework that targeted macOS devices using publicly available exploits. The report provides insights into the threat actor's tactics, including exploiting vulnerabilities to deliver implants, exfiltrating private dat…
lightspy
exploit
macos
2024-05-30
Published: May 30, 2024
Linked vulnerabilities : CVE-2018-4404, CVE-2018-4233
Downloadable IOCs: 43

Leveraging DNS Tunneling for Tracking and Scanning

This article presents a case study on new applications of domain name system (DNS) tunneling PaloAlto Unit42 have found in the wild. These techniques expand beyond DNS tunneling only for command and control (C2) and virtual private network (VPN) purposes.
exploit
cobalt strike
dns query
trojan
2024-05-08
oilrig
dns tunneling
dns traffic
trkcdn campaign
alliance
attack
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 63
Click here to see more Attack Reports