Tag: post-exploitation

13 Attack Reports | 0 Vulnerabilities

Attack reports

PeerBlight Linux Backdoor Exploits React2Shell CVE-2025-55182

A critical vulnerability in React Server Components (CVE-2025-55182) is being exploited across various organizations. Attackers are deploying cryptominer malware, a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based post-exploitation implant dubbed ZinFoq. Peer…
post-exploitation
linux backdoor
CVE-2025-55182
react2shell
2025-12-10
bittorrent dht
cowtunnel
kaiji
peerblight
zinfoq
Published: December 10, 2025
Linked vulnerabilities : CVE-2025-30406, CVE-2025-55182 (CVSS 10.0), CVE-2025-66478
Downloadable IOCs: 36

AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks

AdaptixC2, an open-source post-exploitation and adversarial emulation framework, has been observed being used in real-world attacks. This versatile tool allows threat actors to execute commands, transfer files, and perform data exfiltration on compromised systems. Its open-source nature enables eas…
social engineering
foggyweb
data exfiltration
open-source
post-exploitation
c2 framework
tunneling
adaptixc2
2025-09-10
ai-generated scripts
adversarial emulation
Published: September 10, 2025
Downloadable IOCs: 0

Deploying NetSupport RAT via WordPress & ClickFix

A threat actor is using compromised WordPress websites to distribute a malicious version of NetSupport Manager Remote Access Tool (RAT). The attack chain involves phishing campaigns, website compromise, DOM manipulation, and a fake CAPTCHA page. The malware is delivered through a batch file that do…
phishing
wordpress
remote access
netsupport rat
post-exploitation
fake captcha
2025-07-10
dom manipulation
Published: July 10, 2025
Downloadable IOCs: 21

Exploitation of Leaked Machine Keys by Initial Access Broker

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to exec…
in-memory execution
privilege escalation
post-exploitation
iis
initial access broker
asp.net
machine keys
2025-07-09
txportmap
updf
view state deserialization
Published: July 9, 2025
Downloadable IOCs: 21

SHOE RACK: A post-exploitation tool for remote shell access & TCP tunnelling through a victim device

SHOE RACK is a sophisticated malware developed in Go 1.18, designed for post-exploitation activities. It connects to a custom SSH server at a hardcoded C2 URL, enabling remote interaction with the victim device. The malware utilizes DNS-over-HTTPS to locate its C2 server's IP address and has been o…
fortigate
post-exploitation
shoe rack
remote shell
2025-06-26
reverse ssh
dns-over-https
tcp tunnelling
firewalls
Published: June 26, 2025
Downloadable IOCs: 3

Post-Exploitation Activities Observed from the Samsung MagicINFO 9 Server Flaw

A vulnerability in Samsung MagicINFO 9 Server, a content management system for digital signage displays, has been exploited in limited incidents. Three separate attacks were observed, with two showing organized, identical commands and one appearing to be in a research phase. The attackers attempted…
vulnerability
exploitation
reconnaissance
post-exploitation
2025-05-10
digital signage
samsung
magicinfo
service installation
Published: May 10, 2025
Downloadable IOCs: 0

Off the Beaten Path: Recent Unusual Malware

The article examines three unusual malware samples: a C++/CLI IIS backdoor enabling stealthy remote command execution, a bootkit leveraging the GRUB 2 bootloader to gain early system control and persistence, and a cross-platform post-exploitation framework developed in C++. These cases highlight ev…
backdoor
apt
post-exploitation
bootkit
2025-03-14
iis backdoor
c++/cli
projectgeass
dixie-playing bootkit
grub
2025-03-17
Published: March 17, 2025
Downloadable IOCs: 7

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network sig…
python
c2
ransomhub
open-source
more_eggs
post-exploitation
2025-02-13
http server
network signatures
detection
pyramid
Published: February 13, 2025
Downloadable IOCs: 0

Code injection attacks using publicly disclosed ASP.NET machine keys

An unattributed threat actor has been observed exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks, delivering the Godzilla post-exploitation framework. Over 3,000 publicly disclosed keys have been identified as potentially vulnerable to this attack method…
viewstate
godzilla
post-exploitation
iis
web servers
code injection
2025-02-06
asp.net
machine keys
Published: February 6, 2025
Downloadable IOCs: 0

Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN s…
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient
Published: November 18, 2024
Downloadable IOCs: 0

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 158

Wreaking havoc in cyberspace: threat actors experiment with pentest tools

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloade…
loader
phishing
havoc
2024-10-08
demon
havoc framework
cybersecurity evasion
demon implant
post-exploitation
Published: October 8, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports