Tag: privilege-escalation

41 Attack Reports | 0 Vulnerabilities

Attack reports

Frontline Intelligence: Analysis of UNC1549 TTPs, Custom Tools, and Malware Targeting the Aerospace and Defense Ecosystem

UNC1549, an Iranian-linked threat group, has been targeting aerospace, aviation, and defense industries since mid-2024. They employ sophisticated initial access techniques, including exploiting third-party relationships and targeted phishing. The group uses custom malware like TWOSTROKE, LIGHTRAIL,…
espionage
phishing
defense
lateral movement
privilege escalation
aerospace
custom malware
minibike
2025-11-18
dcsyncer.slick
third-party compromise
sightgrab
trusttrap
lightrail
deeproot
crashpad
twostroke
pollblend
ghostline
Published: November 18, 2025
Downloadable IOCs: 16

Unauthenticated Remote Access via Triofox Vulnerability CVE-2025-12480

A critical vulnerability in Gladinet's Triofox file-sharing platform, CVE-2025-12480, allowed unauthenticated access to configuration pages, enabling arbitrary payload execution. Threat actor UNC6485 exploited this flaw as early as August 24, 2025, bypassing authentication and chaining it with anti…
remote access
privilege escalation
file-sharing
triofox
unauthenticated access
2025-11-10
CVE-2025-12480
anti-virus abuse
host header attack
Published: November 10, 2025
Linked vulnerabilities : CVE-2025-12480 (CVSS 9.1)
Downloadable IOCs: 7

Velociraptor leveraged in ransomware attacks

A ransomware attack involving the use of Velociraptor, an open-source digital forensics tool, has been linked to the threat actor Storm-2603. The attackers deployed Warlock, LockBit, and Babuk ransomware to encrypt virtual machines and servers. They exploited a vulnerability in an outdated version …
ransomware
windows
privilege-escalation
lockbit
data-exfiltration
babuk
vmware
warlock
2025-10-09
CVE-2025-6264
velociraptor
open-source-tools
Published: October 9, 2025
Linked vulnerabilities : CVE-2025-6264
Downloadable IOCs: 5

XiebroC2 Identified in MS-SQL Server Attack Cases

A recent attack on a poorly managed MS-SQL server involved the use of XiebroC2, an open-source C2 framework similar to CobaltStrike. The attackers exploited vulnerable credentials, installed JuicyPotato for privilege escalation, and then deployed XiebroC2 using PowerShell. XiebroC2 supports various…
coinminer
privilege escalation
brute force
c2 framework
ms-sql
dictionary attack
juicypotato
2025-10-01
xiebroc2
Published: October 1, 2025
Downloadable IOCs: 3

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

ESET researchers have identified a new threat actor named GhostRedirector that has compromised at least 65 Windows servers, primarily in Brazil, Thailand, and Vietnam. The actor utilizes two previously undocumented tools: a passive C++ backdoor called Rungan and a malicious Internet Information Ser…
backdoor
privilege escalation
iis module
windows servers
china-aligned
2025-09-04
zunput
comdai
seo fraud
rungan
gamshen
2025-09-08
Published: September 8, 2025
Downloadable IOCs: 24

ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690)

A critical ViewState deserialization vulnerability (CVE-2025-53690) was discovered in Sitecore products, affecting deployments using an exposed sample machine key. The attacker exploited this to achieve remote code execution, progressing from initial compromise to privilege escalation. Key events i…
viewstate
lateral movement
reconnaissance
privilege escalation
earthworm
remote code execution
sharphound
deserialization
2025-09-04
CVE-2025-53690
sitecore
dwagent
weepsteel
Published: September 4, 2025
Downloadable IOCs: 0

Tracking Updates to Raspberry Robin

Raspberry Robin, an advanced malware downloader active since 2021, has undergone significant updates. The malware now employs improved obfuscation methods, including multiple initialization loops and obfuscated stack pointers, making analysis more challenging. It has switched from AES-CTR to ChaCha…
obfuscation
evasion
privilege-escalation
encryption
downloader
CVE-2024-38196
tor
raspberry robin
roshtyak
2025-08-07
usb-spread
Published: August 7, 2025
Linked vulnerabilities : CVE-2024-38196 (CVSS 7.8)
Downloadable IOCs: 121

Raspberry Robin: Latest Updates and Improvements

Raspberry Robin, a malicious downloader active since 2021, has undergone significant updates. It now employs improved obfuscation methods, including multiple initialization loops and flattened control flow, making brute-force decryption less effective. The network encryption algorithm has shifted f…
obfuscation
privilege-escalation
usb
encryption
downloader
CVE-2024-38196
tor
raspberry robin
2025-08-05
roshtyak
Published: August 5, 2025
Linked vulnerabilities : CVE-2024-38196 (CVSS 7.8)
Downloadable IOCs: 121

Exploitation of Leaked Machine Keys by Initial Access Broker

An initial access broker exploited leaked Machine Keys on ASP.NET sites to gain unauthorized access to organizations. The group, tracked as TGR-CRI-0045, targeted industries in Europe and the U.S. including finance, manufacturing, and technology. They used ASP.NET View State deserialization to exec…
in-memory execution
privilege escalation
post-exploitation
iis
initial access broker
asp.net
machine keys
2025-07-09
txportmap
updf
view state deserialization
Published: July 9, 2025
Downloadable IOCs: 21

Decrement by one to rule them all: AsIO3.sys driver exploitation

The article details the discovery and exploitation of two critical vulnerabilities in the AsIO3.sys driver, used by ASUS Armory Crate and AI Suite applications. The vulnerabilities, a stack-based buffer overflow and an authorization bypass, were found in the IRP_MJ_CREATE handler. The author demons…
windows
vulnerability
privilege escalation
asus
driver exploitation
CVE-2025-1533
CVE-2025-3464
2025-06-26
kernel exploitation
asio3.sys
Published: June 26, 2025
Linked vulnerabilities : CVE-2025-1533 (CVSS 8.2), CVE-2025-3464 (CVSS 8.4)
Downloadable IOCs: 0

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub

A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltr…
supply chain
persistence
privilege escalation
data exfiltration
open-source
github
anti-debugging
2025-06-16
backdoor.js.dullrat
multistage malware
Published: June 16, 2025
Downloadable IOCs: 0

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate prog…
privilege-escalation
ransomware-as-a-service
spear-phishing
2025-06-13
file-wiping
anubis
ecies-encryption
sphinx
Published: June 13, 2025
Downloadable IOCs: 0

Case of Attacks Targeting MS-SQL Servers to Install Ammyy Admin

A series of attacks targeting poorly managed MS-SQL servers have been identified, involving the installation of Ammyy Admin, a remote control tool. The attackers exploit vulnerable servers, execute commands to gather system information, and use WGet to install additional malware. The installed malw…
privilege escalation
brute force
2025-04-22
ms-sql
wget
remote control
petitpotato
dictionary attack
ammyy admin
Published: April 22, 2025
Downloadable IOCs: 0

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…
phishing
ransomware
foggyweb
privilege escalation
data exfiltration
sandbox evasion
multi-stage
2025-04-21
doge
Published: April 21, 2025
Downloadable IOCs: 6

CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild

A critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software has been discovered and is being actively exploited. The flaw involves hardcoded cryptographic keys in configuration files, allowing attackers to abuse ASPX ViewState for remote code execution. Affected versions …
cobalt strike
privilege escalation
remote code execution
meshcentral
CVE-2025-30406
2025-04-15
gladinet
hardcoded keys
aspx viewstate
centrestack
triofox
Published: April 15, 2025
Linked vulnerabilities : CVE-2025-30406
Downloadable IOCs: 6

Exploitation of CLFS zero-day leads to ransomware activity

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege…
ransomware
windows
zero-day
privilege escalation
ransomexx
CVE-2025-24983
CVE-2025-29824
2025-04-09
clfs
pipemagic
Published: April 9, 2025
Linked vulnerabilities : CVE-2025-24983 (CVSS 7.0), CVE-2025-29814 (CVSS 9.3), CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 0

Analysis of Lazarus Group's Attack Targeting Windows Web Servers

The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxi…
windows
privilege escalation
webshell
iis
uac bypass
web servers
2025-03-11
c2 proxy
lazarloader
Published: March 11, 2025
Downloadable IOCs: 0

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Analysis of an incident involving a web shell used as a backdoor

A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backd…
privilege escalation
badpotato
behinder
godpotato
web shell
southeast asia
2025-02-28
memory-based threats
sweetpotato
potato tools
Published: February 28, 2025
Downloadable IOCs: 0

Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG

In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload h…
privilege escalation
iis
2025-01-31
juicypotatong
CVE-2019-18935
Published: January 31, 2025
Linked vulnerabilities : CVE-2019-18935
Downloadable IOCs: 4

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

Brain Cipher Ransomware uses CVE-2023-28252

Brain Cipher ransomware is suspected of exploiting CVE-2023-28252, a vulnerability previously utilized by the now-inactive Nokowaya Ransomware Group. The exploit, often disguised as 'clfs_eop.exe', targets the Microsoft Windows CLFS Driver for privilege escalation. This vulnerability is being sold …
ransomware
privilege-escalation
2024-12-17
CVE-2023-28252
brain cipher
clfs filename
Published: December 17, 2024
Downloadable IOCs: 2

Declawing PUMAKIT

PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftra…
rootkit
privilege escalation
2024-12-16
pumakit
kitsune
syscall hooking
Published: December 16, 2024
Downloadable IOCs: 12

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …
apt
privilege-escalation
cobalt strike
persistence
credentials
CVE-2023-27532
lateral-movement
skid
more_eggs
spicyomelette
terra loader
2024-12-04
cloudflared
c2 pyramid
Published: December 4, 2024
Linked vulnerabilities : CVE-2023-27532
Downloadable IOCs: 20

Gafgyt Malware Broadens Its Scope in Recent Attacks

Trend Micro researchers have identified threat actors exploiting misconfigured Docker servers to spread Gafgyt malware, traditionally known for targeting IoT devices. This shift in behavior involves attackers creating Docker containers based on legitimate 'alpine' images to deploy the malware. The …
privilege-escalation
ddos
iot
botnet
gafgyt
docker
api
2024-12-03
lizkebab
container
bashlite
Published: December 3, 2024
Downloadable IOCs: 25

Raspberry Robin Analysis

Raspberry Robin, a malicious downloader discovered in 2021, has been circulating for years, primarily spreading through infected USB devices. It stands out due to its unique binary-obfuscation techniques, extensive use of anti-analysis methods, and privilege escalation exploits. The malware uses mu…
obfuscation
privilege-escalation
anti-analysis
tor
2024-11-19
raspberry robin
usb-spreading
network-propagation
CVE-2024-26229
CVE-2021-31969
Published: November 19, 2024
Linked vulnerabilities : CVE-2021-31969, CVE-2024-26229
Downloadable IOCs: 126

November 18 Advisory: Active Exploitation of Critical RCE in Palo Alto Networks PAN-OS [CVE-2024-0012 and CVE-2024-9474]

Two critical vulnerabilities in Palo Alto Networks PAN-OS, CVE-2024-0012 and CVE-2024-9474, have been disclosed. CVE-2024-0012 is an authentication bypass allowing unauthenticated remote attackers to gain admin privileges, while CVE-2024-9474 is an authenticated privilege escalation bug. These can …
vpn
privilege escalation
2024-11-18
CVE-2024-0012
CVE-2024-9474
rce
authentication bypass
pan-os
critical vulnerability
Published: November 18, 2024
Downloadable IOCs: 0

Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012

A critical authentication bypass vulnerability (CVE-2024-0012) in Palo Alto Networks PAN-OS software allows unauthenticated attackers to gain administrator privileges on affected devices. The issue affects PAN-OS versions 10.2, 11.0, 11.1, and 11.2, but not Cloud NGFW or Prisma Access. Limited expl…
vpn
privilege escalation
webshell
2024-11-18
CVE-2024-0012
CVE-2024-9474
authentication bypass
pan-os
Published: November 18, 2024
Downloadable IOCs: 0

G700: The Next Generation of Craxs RAT

G700 RAT, an advanced variant of Craxs RAT, targets Android devices and cryptocurrency applications. It employs sophisticated techniques like privilege escalation, phishing, and malicious APK distribution to infiltrate devices. The malware bypasses authentication, captures sensitive data, and manip…
obfuscation
phishing
android
cryptocurrency
craxs rat
privilege escalation
2024-11-04
apk distribution
transaction hijacking
sms interception
g700 rat
Published: November 4, 2024
Downloadable IOCs: 3

Chinese Hackers Toolkit Uncovered And Activity History Uncovered

A Chinese hacking group called 'You Dun' was discovered through an exposed open directory, revealing their comprehensive attack infrastructure. The group utilized sophisticated reconnaissance tools and exploited Zhiyuan OA software via SQL injection attacks, targeting South Korean pharmaceutical or…
sql injection
ransomware
cobalt strike
privilege escalation
lockbit 3.0
2024-10-28
c2 infrastructure
CVE-2021-25003
chinese hackers
viper framework
reconnaissance tools
Published: October 28, 2024
Linked vulnerabilities : CVE-2021-25003
Downloadable IOCs: 7

Understanding the Initial Stages of Web Shell and VPN Threats: An MXDR Analysis

This analysis examines two cybersecurity incidents: a web shell attack and a VPN compromise. The web shell attack involved uploading malicious files to a server, executing commands, creating a local admin account, and attempting to establish persistence. The VPN compromise led to lateral movement, …
anydesk
persistence
CVE-2020-1472
lateral movement
privilege escalation
web shell
defense evasion
2024-10-24
iis
mxdr
vpn compromise
Published: October 24, 2024
Linked vulnerabilities : CVE-2020-1472
Downloadable IOCs: 1

DarkComet RAT: Technical Analysis of Attack Chain

This analysis examines the Remote Access Trojan (RAT) DarkComet, detailing its capabilities, distribution methods, and technical operations. The malware alters file attributes, establishes communication with malicious domains, modifies process privileges, and gathers system information. It employs …
rat
evasion
persistence
keylogging
privilege escalation
command and control
remote access trojan
2024-10-23
darkcomet
Published: October 23, 2024
Downloadable IOCs: 1

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

An unknown threat actor is exploiting exposed Docker Remote API servers to deploy the perfctl malware. The attack sequence involves probing the server, creating a Docker container with specific settings, and executing a Base64 encoded payload. The payload escapes the container, creates a bash scrip…
evasion
persistence
docker
privilege escalation
perfctl
2024-10-21
remote api
linux malware
container exploitation
Published: October 21, 2024
Downloadable IOCs: 6

Advanced Cyberattacks Against UAE and Gulf Regions

Earth Simnavaz, also known as APT34 and OilRig, has been actively targeting governmental entities in the UAE and Gulf region. The group employs sophisticated tactics, including a backdoor that exploits Microsoft Exchange servers for credential theft and the use of CVE-2024-30088 for privilege escal…
cyber espionage
credential theft
oilrig
CVE-2024-30088
privilege escalation
microsoft exchange
2024-10-14
apt34
stealhook
iis malware
gulf region
uae
Published: October 14, 2024
Linked vulnerabilities : CVE-2024-30088 (CVSS 7.0)
Downloadable IOCs: 17

perfctl: A Stealthy Malware Targeting Millions of Linux Servers

A sophisticated Linux malware named 'perfctl' has been actively targeting millions of servers worldwide for the past 3-4 years. It exploits over 20,000 types of misconfigurations to compromise Linux systems. The malware employs advanced evasion techniques, including rootkits, process masquerading, …
linux
rootkit
evasion
privilege-escalation
persistence
cryptomining
CVE-2023-33246
2024-10-04
tor
CVE-2021-4043
proxy-jacking
perfctl
Published: October 4, 2024
Linked vulnerabilities : CVE-2023-33246, CVE-2021-4034, CVE-2021-4043
Downloadable IOCs: 9

The Nanshou Campaign - Hackers' Arsenal Grows Stronger

This comprehensive analysis details a sophisticated cyber campaign targeting over 50,000 Windows servers worldwide, primarily in the healthcare, telecommunications, media, and IT sectors. The campaign exploited vulnerabilities in MS-SQL and phpMyAdmin, dropping advanced payloads like crypto-miners …
privilege escalation
vulnerability exploitation
2024-09-16
smominru
CVE-2014-4113
database servers
kernel rootkit
crypto-miner
Published: September 16, 2024
Linked vulnerabilities : CVE-2014-4113
Downloadable IOCs: 28

StopRansomware: RansomHub Ransomware

RansomHub is a ransomware-as-a-service variant that has targeted over 210 victims across various critical infrastructure sectors since February 2024. It employs a double-extortion model, encrypting systems and exfiltrating data. The ransom note provides victims with a client ID and instructions to …
privilege-escalation
cobalt strike
encryption
CVE-2020-1472
ransomware-as-a-service
ransomhub
mimikatz
CVE-2023-3519
2024-08-30
metasploit
CVE-2023-22515
CVE-2023-46604
CVE-2017-0144
CVE-2023-48788
double-extortion
CVE-2023-27997
data-exfiltration
CVE-2023-46747
critical-infrastructure
CVE-2020-0787
lateral-movement
Published: August 30, 2024
Linked vulnerabilities : CVE-2020-1472, CVE-2023-46604, CVE-2023-22515, CVE-2020-0787, CVE-2017-0144, CVE-2023-3519, CVE-2023-27997, CVE-2023-48788, CVE-2023-46747
Downloadable IOCs: 14

Ransomware attackers introduce new EDR killer to their arsenal

An analysis by security researchers has uncovered the existence of a new tool called EDRKillShifter, which is used by threat actors to disable endpoint protection software during ransomware attacks. The tool is designed to terminate antivirus and endpoint detection and response (EDR) solutions on t…
ransomware
ransomhub
privilege escalation
2024-08-16
edr evasion
driver exploitation
edrkillshifter
Published: August 16, 2024
Downloadable IOCs: 2

Analysis of CoinMiner Attacks Targeting Web Servers

The report details two separate attack cases targeting a Korean medical institution's web server, resulting in the installation of CoinMiners. The targeted server was a Windows IIS server, likely with PACS software installed. In both attacks, web shells were uploaded, and system information was col…
xmrig
coinminer
privilege escalation
earthworm
badpotato
godpotato
2024-06-24
webshell
netcat
cpolar
fscan
printnotifypotato
Published: June 24, 2024
Linked vulnerabilities : CVE-2021-1732
Downloadable IOCs: 59

DISGOMOJI Malware Used to Target Indian Government

Volexity identified a cyber-espionage campaign by a suspected Pakistan-based threat actor tracked as UTA0137 targeting government entities in India. The campaign leveraged the DISGOMOJI malware, a Golang-based Linux trojan that uses Discord for command and control via emojis. Key capabilities inclu…
linux
espionage
india
discord
2024-06-18
golang
privilege escalation
disgomoji
CVE-2022-0847
Published: June 18, 2024
Linked vulnerabilities : CVE-2024-3400, CVE-2022-0847
Downloadable IOCs: 149
Click here to see more Attack Reports