Tag: privilege-escalation

31 Attack Reports | 0 Vulnerabilities

Attack reports

Clone, Compile, Compromise: Open-Source Malware Trap on GitHub

A newly identified threat actor, Water Curse, is exploiting GitHub to deliver weaponized repositories containing multistage malware. The group has been linked to at least 76 GitHub accounts, targeting cybersecurity professionals, game developers, and DevOps teams. Their malware enables data exfiltr…
supply chain
persistence
privilege escalation
data exfiltration
open-source
github
anti-debugging
2025-06-16
backdoor.js.dullrat
multistage malware
Published: June 16, 2025
Downloadable IOCs: 0

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

Anubis is a new ransomware-as-a-service (RaaS) group that combines file encryption with file destruction capabilities. Active since December 2024, it features a 'wipe mode' that permanently erases files, making recovery impossible even if ransom is paid. The group operates a flexible affiliate prog…
privilege-escalation
ransomware-as-a-service
spear-phishing
2025-06-13
file-wiping
anubis
ecies-encryption
sphinx
Published: June 13, 2025
Downloadable IOCs: 0

Case of Attacks Targeting MS-SQL Servers to Install Ammyy Admin

A series of attacks targeting poorly managed MS-SQL servers have been identified, involving the installation of Ammyy Admin, a remote control tool. The attackers exploit vulnerable servers, execute commands to gather system information, and use WGet to install additional malware. The installed malw…
privilege escalation
brute force
2025-04-22
ms-sql
wget
remote control
petitpotato
dictionary attack
ammyy admin
Published: April 22, 2025
Downloadable IOCs: 0

FOG Ransomware Spread by Cybercriminals Claiming Ties to DOGE

An investigation of nine malware samples revealed FOG ransomware being distributed by cybercriminals impersonating the Department of Government Efficiency (DOGE). The ransomware, spread via email and phishing attacks, is concealed in a ZIP file named 'Pay Adjustment.zip'. The infection chain involv…
phishing
ransomware
foggyweb
privilege escalation
data exfiltration
sandbox evasion
multi-stage
2025-04-21
doge
Published: April 21, 2025
Downloadable IOCs: 6

CVE-2025-30406 - Critical Gladinet CentreStack & Triofox Vulnerability Exploited In The Wild

A critical vulnerability (CVE-2025-30406) in Gladinet CentreStack and Triofox software has been discovered and is being actively exploited. The flaw involves hardcoded cryptographic keys in configuration files, allowing attackers to abuse ASPX ViewState for remote code execution. Affected versions …
cobalt strike
privilege escalation
remote code execution
meshcentral
CVE-2025-30406
2025-04-15
gladinet
hardcoded keys
aspx viewstate
centrestack
triofox
Published: April 15, 2025
Linked vulnerabilities : CVE-2025-30406
Downloadable IOCs: 6

Exploitation of CLFS zero-day leads to ransomware activity

A zero-day elevation of privilege vulnerability in Windows Common Log File System (CLFS) has been exploited against targets in IT, real estate, finance, software, and retail sectors across multiple countries. The exploit, deployed by PipeMagic malware and attributed to Storm-2460, enables privilege…
ransomware
windows
zero-day
privilege escalation
ransomexx
CVE-2025-24983
CVE-2025-29824
2025-04-09
clfs
pipemagic
Published: April 9, 2025
Linked vulnerabilities : CVE-2025-24983 (CVSS 7.0), CVE-2025-29814 (CVSS 9.3), CVE-2025-29824 (CVSS 7.8)
Downloadable IOCs: 0

Analysis of Lazarus Group's Attack Targeting Windows Web Servers

The Lazarus group has been targeting Windows web servers, particularly in South Korea, installing webshells and C2 scripts to use compromised servers as proxies. The attacks involve multiple stages, including the use of LazarLoader malware and privilege escalation tools. The C2 scripts act as proxi…
windows
privilege escalation
webshell
iis
uac bypass
web servers
2025-03-11
c2 proxy
lazarloader
Published: March 11, 2025
Downloadable IOCs: 0

Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their Arsenal

The Black Basta and Cactus ransomware groups have incorporated BackConnect malware into their attack strategies to maintain persistent control over compromised systems. The attackers use social engineering tactics, including email flooding and impersonation of IT support, to gain initial access. Th…
social engineering
ransomware
darkgate
black basta
lateral movement
privilege escalation
systembc
2025-03-03
cactus
backconnect
cloud storage abuse
onedrive exploitation
Published: March 3, 2025
Downloadable IOCs: 0

Analysis of an incident involving a web shell used as a backdoor

A SOC investigation uncovered a web shell attack on a government SharePoint server in Southeast Asia. The attackers used certutil to download an ASPX payload disguised as a 404 page, then employed Potato tools for privilege escalation. Analysis revealed the web shell to be Behinder, a modular backd…
privilege escalation
badpotato
behinder
godpotato
web shell
southeast asia
2025-02-28
memory-based threats
sweetpotato
potato tools
Published: February 28, 2025
Downloadable IOCs: 0

Threat Actors Use CVE-2019-18935 to Deliver Reverse Shells and JuicyPotatoNG

In early January 2025, a threat actor was observed exploiting CVE-2019-18935 in Progress Telerik UI for ASP.NET AJAX. The attacker used the IIS worker process to load a reverse shell and execute reconnaissance commands. The infection process involved confirming the availability of the file upload h…
privilege escalation
iis
2025-01-31
juicypotatong
CVE-2019-18935
Published: January 31, 2025
Linked vulnerabilities : CVE-2019-18935
Downloadable IOCs: 4

Investigating A Web Shell Intrusion With Managed XDR

This analysis details a web shell intrusion incident where attackers exploited an IIS worker to exfiltrate data. The attacker uploaded a web shell, created a new account for persistence, modified an existing user's password, and used encoded PowerShell commands to establish a reverse TCP shell for …
powershell
anydesk
privilege escalation
data exfiltration
web shell
command-and-control
2025-01-15
reverse tcp shell
iis worker
Published: January 15, 2025
Downloadable IOCs: 0

Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603)

A critical code execution vulnerability, CVE-2024-50603, affecting Aviatrix Controller has been observed being exploited in the wild. This unauthenticated remote code execution flaw allows attackers to execute arbitrary commands on the system, potentially leading to privilege escalation in AWS envi…
backdoor
xmrig
sliver
cloud security
cryptojacking
privilege escalation
aws
rce
CVE-2024-50603
2025-01-13
aviatrix controller
Published: January 13, 2025
Linked vulnerabilities : CVE-2024-50603 (CVSS 10.0), CVE-2025-0282 (CVSS 9.0), CVE-2025-0283 (CVSS 7.0), CVE-2021-40870
Downloadable IOCs: 6

Brain Cipher Ransomware uses CVE-2023-28252

Brain Cipher ransomware is suspected of exploiting CVE-2023-28252, a vulnerability previously utilized by the now-inactive Nokowaya Ransomware Group. The exploit, often disguised as 'clfs_eop.exe', targets the Microsoft Windows CLFS Driver for privilege escalation. This vulnerability is being sold …
ransomware
privilege-escalation
2024-12-17
CVE-2023-28252
brain cipher
clfs filename
Published: December 17, 2024
Downloadable IOCs: 2

Declawing PUMAKIT

PUMAKIT is a sophisticated multi-stage Linux malware consisting of a dropper, memory-resident executables, an LKM rootkit, and a userland rootkit. It employs advanced stealth techniques to hide its presence and maintain C2 communication. The rootkit hooks 18 syscalls and kernel functions using ftra…
rootkit
privilege escalation
2024-12-16
pumakit
kitsune
syscall hooking
Published: December 16, 2024
Downloadable IOCs: 12

The Curious Case of an Excellent Resume

This report details a malicious campaign where the threat actor gained initial access through a resume lure as part of a TA4557/FIN6 operation. The actor employed techniques like abusing legitimate binaries, establishing Cobalt Strike and Pyramid C2, exploiting CVE-2023-27532 for lateral movement, …
apt
privilege-escalation
cobalt strike
persistence
credentials
CVE-2023-27532
lateral-movement
skid
more_eggs
spicyomelette
terra loader
2024-12-04
cloudflared
c2 pyramid
Published: December 4, 2024
Linked vulnerabilities : CVE-2023-27532
Downloadable IOCs: 20

Gafgyt Malware Broadens Its Scope in Recent Attacks

Trend Micro researchers have identified threat actors exploiting misconfigured Docker servers to spread Gafgyt malware, traditionally known for targeting IoT devices. This shift in behavior involves attackers creating Docker containers based on legitimate 'alpine' images to deploy the malware. The …
privilege-escalation
ddos
iot
botnet
gafgyt
docker
api
2024-12-03
lizkebab
container
bashlite
Published: December 3, 2024
Downloadable IOCs: 25

Raspberry Robin Analysis

Raspberry Robin, a malicious downloader discovered in 2021, has been circulating for years, primarily spreading through infected USB devices. It stands out due to its unique binary-obfuscation techniques, extensive use of anti-analysis methods, and privilege escalation exploits. The malware uses mu…
obfuscation
privilege-escalation
anti-analysis
tor
2024-11-19
raspberry robin
usb-spreading
network-propagation
CVE-2024-26229
CVE-2021-31969
Published: November 19, 2024
Linked vulnerabilities : CVE-2021-31969, CVE-2024-26229
Downloadable IOCs: 126

November 18 Advisory: Active Exploitation of Critical RCE in Palo Alto Networks PAN-OS [CVE-2024-0012 and CVE-2024-9474]

Two critical vulnerabilities in Palo Alto Networks PAN-OS, CVE-2024-0012 and CVE-2024-9474, have been disclosed. CVE-2024-0012 is an authentication bypass allowing unauthenticated remote attackers to gain admin privileges, while CVE-2024-9474 is an authenticated privilege escalation bug. These can …
vpn
privilege escalation
2024-11-18
CVE-2024-0012
CVE-2024-9474
rce
authentication bypass
pan-os