Tag: post-exploitation

7 Attack Reports | 0 Vulnerabilities

Attack reports

Off the Beaten Path: Recent Unusual Malware

This article examines three unique malware samples discovered in the past year. The first is a passive IIS backdoor written in C++/CLI, an uncommon language for malware. It has extensive functionality and appears professionally developed, possibly for targeted attacks. The second is a bootkit that …
post-exploitation
bootkit
2025-03-14
iis backdoor
c++/cli
projectgeass
dixie-playing bootkit
grub
Published: March 14, 2025
Downloadable IOCs: 11

Tracking Pyramid C2: Identifying Post-Exploitation Servers in Hunt

Pyramid, an open-source post-exploitation framework in Python, is being used by threat actors for malicious purposes. The tool features a lightweight HTTP/S server for encrypted payload delivery, blending with legitimate Python activity. This analysis examines Pyramid's server, outlines network sig…
python
c2
ransomhub
open-source
more_eggs
post-exploitation
2025-02-13
http server
network signatures
detection
pyramid
Published: February 13, 2025
Downloadable IOCs: 0

Code injection attacks using publicly disclosed ASP.NET machine keys

An unattributed threat actor has been observed exploiting publicly disclosed ASP.NET machine keys to perform ViewState code injection attacks, delivering the Godzilla post-exploitation framework. Over 3,000 publicly disclosed keys have been identified as potentially vulnerable to this attack method…
viewstate
godzilla
post-exploitation
iis
web servers
code injection
2025-02-06
asp.net
machine keys
Published: February 6, 2025
Downloadable IOCs: 0

Chinese hackers exploit Fortinet VPN zero-day to steal credentials

Chinese threat actors, known as BrazenBamboo, are exploiting a zero-day vulnerability in Fortinet's FortiClient Windows VPN client to steal credentials. The hackers use a custom post-exploitation toolkit called DeepData, which includes a FortiClient plugin to extract usernames, passwords, and VPN s…
espionage
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese hackers
2024-11-18
deeppost
deepdata
forticlient
Published: November 18, 2024
Downloadable IOCs: 0

Weaponizing FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA

A Chinese state-affiliated threat actor, BrazenBamboo, has exploited a zero-day vulnerability in Fortinet's Windows VPN client to steal user credentials. The vulnerability allows extraction of login information from the FortiClient process memory. BrazenBamboo uses two malware families: DEEPDATA, a…
lightspy
zero-day
credential theft
vpn
post-exploitation
chinese threat actor
2024-11-16
deeppost
deepdata
forticlient
Published: November 16, 2024
Downloadable IOCs: 0

SideWinder APT's post-exploitation framework analysis

SideWinder APT group has expanded its activities, targeting high-profile entities in the Middle East and Africa. The group employs a multi-stage infection chain using spear-phishing emails with malicious attachments. A new post-exploitation toolkit called 'StealerBot' has been discovered, designed …
apt
espionage
CVE-2017-11882
infrastructure
spear-phishing
post-exploitation
2024-10-15
moduleinstaller
backdoor loader module
stealerbot
rtf exploit
Published: October 15, 2024
Downloadable IOCs: 158

Wreaking havoc in cyberspace: threat actors experiment with pentest tools

Recent research reveals adversaries increasingly using the Havoc post-exploitation framework to bypass cybersecurity systems. Two campaigns utilizing this framework were analyzed. The first campaign involved phishing emails with malicious archives containing ISO files and LNK files, which downloade…
loader
phishing
havoc
2024-10-08
demon
havoc framework
cybersecurity evasion
demon implant
post-exploitation
Published: October 8, 2024
Downloadable IOCs: 0
Click here to see more Attack Reports