Tag: vulnerability exploitation

23 Attack Reports | 0 Vulnerabilities

Attack reports

RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities

The RondoDox botnet has emerged as a significant threat, exploiting 174 different vulnerabilities since May 2025. It primarily targets IoT devices and internet-exposed services for DoS attacks. The botnet's infrastructure includes exploiting and hosting components, with evidence suggesting the use …
xmrig
ddos
iot
botnet
vulnerability exploitation
rondodox
2026-03-11
Published: March 11, 2026
Linked vulnerabilities : CVE-2025-24016 (CVSS 9.9), CVE-2025-24893 (CVSS 9.8), CVE-2023-46604, CVE-2025-32756, CVE-2025-48827 (CVSS 10.0), CVE-2025-20281 (CVSS 9.8), CVE-2025-57296 (CVSS 6.5), CVE-2025-62593 (CVSS 9.4), CVE-2025-55182 (CVSS 10.0), CVE-2025-37164 (CVSS 10.0), CVE-2025-47812, CVE-2025-52089
Downloadable IOCs: 29

MuddyWater Exposed: Inside an Iranian APT operation

Researchers identified and analyzed exposed infrastructure of MuddyWater, an Iranian cyber espionage group linked to the Ministry of Intelligence and Security. The investigation revealed their reconnaissance methods, exploitation of vulnerabilities, custom command and control frameworks, and exfilt…
exfiltration
cyber espionage
reconnaissance
CVE-2022-42475
vulnerability exploitation
command and control
CVE-2024-55591
CVE-2025-5777
CVE-2025-54068
iranian apt
CVE-2025-9316
CVE-2025-55182
CVE-2025-34291
CVE-2025-68613
CVE-2025-52691
tsundere botnet
CVE-2026-1281
CVE-2026-1731
geopolitical conflict
2026-03-05
arenac2
CVE-2024-23113
keyc2
mois
persianc2
Published: March 5, 2026
Linked vulnerabilities : CVE-2024-5559 (CVSS 6.1), CVE-2024-55591 (CVSS 9.8), CVE-2022-42475, CVE-2025-5777 (CVSS 9.3), CVE-2025-54068 (CVSS 9.2), CVE-2025-9316 (CVSS 6.9), CVE-2025-55182 (CVSS 10.0), CVE-2025-34291 (CVSS 9.4), CVE-2025-68613 (CVSS 9.9), CVE-2025-52691 (CVSS 10.0), CVE-2026-1281 (CVSS 9.8), CVE-2026-1731 (CVSS 9.9), CVE-2024-23113
Downloadable IOCs: 14

Metro4Shell: Exploitation of React Native's Metro Server in the Wild

A vulnerability in React Native's Metro Server, dubbed Metro4Shell, has been exploited in the wild since December 21, 2025. The flaw allows unauthenticated remote attackers to execute arbitrary OS commands on Windows systems. Exploitation involves a multi-stage PowerShell-based loader delivered thr…
linux
powershell
windows
vulnerability exploitation
remote code execution
CVE-2025-11953
2026-02-04
metro server
react native
Published: February 4, 2026
Linked vulnerabilities : CVE-2025-11953 (CVSS 9.8)
Downloadable IOCs: 5

RondoDoX Botnet Weaponizes React2Shell

A persistent nine-month RondoDoX botnet campaign has been targeting IoT devices and web applications. The threat actors have recently shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like 'React2Shell' and cryptominers. The campaign, spanning from March to Decem…
iot
botnet
mirai
cryptominer
vulnerability exploitation
command and control
next.js
rondodox
react2shell
2025-12-29
rondo
web application
Published: December 29, 2025
Downloadable IOCs: 7

Sneeit WordPress RCE Exploited in the Wild While ICTBroadcast Bug Fuels Frost Botnet Attacks

A critical remote code execution vulnerability (CVE-2025-6389) in the Sneeit Framework WordPress plugin is being actively exploited. The flaw allows unauthenticated attackers to execute code on the server, potentially creating malicious admin accounts or injecting backdoors. Wordfence has blocked o…
ddos
botnet
wordpress
vulnerability exploitation
remote code execution
CVE-2025-1610
CVE-2025-2611
CVE-2025-6389
2025-12-09
frost
ictbroadcast
sneeit framework
trojan.karagany
xfrost
Published: December 9, 2025
Linked vulnerabilities : CVE-2025-1610 (CVSS 6.3), CVE-2025-2611 (CVSS 9.3), CVE-2025-6389 (CVSS 9.8), CVE-2025-66516 (CVSS 10.0)
Downloadable IOCs: 6

Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)

The Kinsing threat actor continues to distribute malware by exploiting known vulnerabilities, particularly CVE-2023-46604 in ActiveMQ. They target both Linux and Windows systems, using various malware types including XMRig, Stager, and Sharpire. The attack process involves exploiting the ActiveMQ v…
xmrig
meterpreter
cobaltstrike
vulnerability exploitation
CVE-2023-46604
cryptocurrency mining
2025-10-31
activemq
sharpire
h2miner
powershell empire
Published: October 31, 2025
Linked vulnerabilities : CVE-2021-44228, CVE-2023-46604
Downloadable IOCs: 4

UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. T…
spearphishing
poland
credential theft
vulnerability exploitation
CVE-2024-42009
unc1151
CVE-2025-49113
2025-06-05
roundcube
Published: June 5, 2025
Linked vulnerabilities : CVE-2024-42009, CVE-2025-49113 (CVSS 9.9)
Downloadable IOCs: 3

Custom Arsenal Developed to Target Multiple Industries

Earth Lamia, an APT threat actor, has been targeting organizations in Brazil, India, and Southeast Asia since 2023. The group exploits web application vulnerabilities, particularly SQL injection, to gain access to targeted systems. They have developed custom tools like PULSEPACK backdoor and Bypass…
backdoor
apt
sql injection
cobalt strike
dll sideloading
vulnerability exploitation
brute ratel
multi-industry targeting
CVE-2024-9047
CVE-2024-51378
CVE-2024-51567
china-nexus
CVE-2024-56145
vshell
CVE-2025-31324
2025-05-27
CVE-2021-22205
CVE-2024-27199
CVE-2024-27198
CVE-2017-9805
pulsepack
bypassboss
custom tools
Published: May 27, 2025
Linked vulnerabilities : CVE-2024-9047 (CVSS 9.8), CVE-2024-51378 (CVSS 10.0), CVE-2024-51567 (CVSS 10.0), CVE-2024-56145, CVE-2025-31324 (CVSS 10.0), CVE-2017-9805, CVE-2024-27199, CVE-2024-27198, CVE-2021-22205
Downloadable IOCs: 185

Mass Scanning and Exploit Campaigns

Trustwave SpiderLabs has identified ongoing malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns. The investigation revealed connections between Proton66 and bulletproof hosting services advertised on underground forums. Mass…
ransomware
vulnerability exploitation
CVE-2024-41713
CVE-2024-10914
CVE-2024-55591
CVE-2025-24472
CVE-2025-0108
superblack
bulletproof hosting
2025-05-16
exploit campaigns
critical vulnerabilities
mass scanning
underground forums
Published: May 16, 2025
Linked vulnerabilities : CVE-2024-41713 (CVSS 7.5), CVE-2024-10914 (CVSS 8.1), CVE-2024-55591 (CVSS 9.8), CVE-2025-24472 (CVSS 8.1), CVE-2025-0108 (CVSS 9.1)
Downloadable IOCs: 22

The Persistent Threat of Salt Typhoon: Tracking Exposures of Potentially Targeted Devices

Salt Typhoon, a Chinese state-sponsored threat actor, has been targeting major telecommunications providers worldwide by exploiting vulnerabilities in network devices. This analysis tracks global exposures of internet-facing devices associated with Salt Typhoon activity over six months, including S…
network devices
CVE-2024-21887
CVE-2023-46805
shadowpad
telecommunications
vulnerability exploitation
CVE-2023-48788
CVE-2022-3236
masol rat
ivanti connect secure
2025-04-26
chinese state-sponsored
CVE-2023-20198
sophos firewall
CVE-2023-20273
cisco ios xe
exposure tracking
fortinet forticlient ems
Published: April 26, 2025
Downloadable IOCs: 0

Lazarus APT updates its toolset in watering hole attacks

The Lazarus group has launched a sophisticated attack campaign dubbed 'Operation SyncHole' targeting South Korean organizations. The operation combines watering hole attacks with exploitation of vulnerabilities in South Korean software. At least six organizations in the software, IT, financial, sem…
apt
supply chain
south korea
vulnerability exploitation
watering hole
2025-04-24
copperhedge
signbt
threatneedle
agamemnon downloader
wagent
Published: April 24, 2025
Downloadable IOCs: 0

Dragon RaaS | Pro-Russian Hacktivist Group Aims to Build on "The Five Families" Cybercrime Reputation

Dragon RaaS is a ransomware group that emerged in July 2024 as an offshoot of Stormous, part of a larger cybercrime syndicate known as 'The Five Families'. The group markets itself as a sophisticated Ransomware-as-a-Service operation but often conducts defacements and opportunistic attacks rather t…
ransomware
cybercrime
CVE-2024-3806
CVE-2024-3807
CVE-2024-3808
CVE-2024-3809
hacktivism
webshell
vulnerability exploitation
CVE-2024-47374
2025-03-19
defacement
stormcry
CVE-2022-0073
CVE-2023-2359
CVE-2023-6925
dragon raas
CVE-2023-47784
CVE-2022-0074
pro-russian
Published: March 19, 2025
Downloadable IOCs: 0

Malicious Packages Identified in the Wild: Insights and Trends from November 2024 Onward

FortiGuard Labs has analyzed malicious software packages detected from November 2024 to March 2025, revealing various attack techniques used to exploit system vulnerabilities. Key findings include 1,082 packages with low file counts, 1,052 packages with suspicious install scripts, and 1,043 package…
obfuscation
python
typosquatting
node.js
backdoors
data exfiltration
vulnerability exploitation
2025-03-10
install scripts
software packages
Published: March 10, 2025
Downloadable IOCs: 11

PolarEdge: Unveiling an uncovered ORB network

An analysis of the PolarEdge backdoor and its associated botnet reveals a sophisticated cyber threat targeting various edge devices. The botnet exploits vulnerabilities in Cisco, Asus, QNAP, and Synology devices, using a TLS backdoor to establish control. Active since at least late 2023, PolarEdge …
botnet
vulnerability exploitation
asus
infrastructure analysis
edge devices
2025-02-25
qnap
cisco
polaredge
CVE-2023-20118
tls backdoor
synology
cipher_log
Published: February 25, 2025
Linked vulnerabilities : CVE-2023-20118
Downloadable IOCs: 31

The BadPilot campaign: Multiyear global access operation

A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tacti…
persistence
credential theft
CVE-2024-1709
CVE-2021-34473
vulnerability exploitation
CVE-2023-42793
CVE-2023-48788
initial access
2025-02-12
CVE-2023-23397
CVE-2023-32315
badpilot
russian state actor
global operation
localolive
CVE-2022-41352
remote management
shadowlink
Published: February 12, 2025
Downloadable IOCs: 0

Matrix Unleashes A New Widespread DDoS Campaign

A new widespread Distributed Denial-of-Service (DDoS) campaign orchestrated by a threat actor named Matrix has been uncovered. The operation combines public scripts, brute-force attacks, and exploitation of weak credentials to create a botnet capable of global disruption. Matrix targets vulnerabili…
cryptocurrency
ddos
iot
botnet
mirai
discord
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
CVE-2017-17215
telegram
2024-11-27
CVE-2014-8361
brute-force
CVE-2017-18368
script kiddie
CVE-2018-9995
pybot
CVE-2024-27348
CVE-2017-17106
discordgo
CVE-2022-30525
CVE-2022-30075
Published: November 27, 2024
Linked vulnerabilities : CVE-2024-27348, CVE-2021-20090, CVE-2022-30525, CVE-2018-10562, CVE-2018-10561, CVE-2022-30075, CVE-2018-9995, CVE-2017-17106, CVE-2017-18368, CVE-2014-8361, CVE-2017-17215
Downloadable IOCs: 12

Threat Campaign Targeting Palo Alto Networks Firewall Devices Observed

Arctic Wolf has identified multiple intrusions across various industries involving Palo Alto Network firewall devices. The attacks likely exploit recently disclosed PAN-OS vulnerabilities CVE-2024-0012 and CVE-2024-9474 for initial access. Affected devices downloaded payloads including the Sliver C…
xmrig
data exfiltration
vulnerability exploitation
webshells
CVE-2024-0012
CVE-2024-9474
2024-11-25
sliver c2
palo alto networks
Published: November 25, 2024
Downloadable IOCs: 14

Inside Water Barghest's Rapid Exploit-to-Market Strategy for IoT Devices

Water Barghest, a cybercriminal group, has developed a highly automated system for exploiting and monetizing IoT devices. Their botnet, comprising over 20,000 devices as of October 2024, uses automated scripts to identify and compromise vulnerable IoT devices from public internet scan databases. On…
iot
botnet
proxy
vulnerability exploitation
ngioweb
2024-11-18
residential proxy marketplace
Published: November 18, 2024
Downloadable IOCs: 66

Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave

The Androxgh0st botnet, active since January 2024, has evolved to incorporate Mozi botnet payloads, expanding its attack surface from web servers to IoT devices. It exploits vulnerabilities in various platforms, including Cisco ASA, Atlassian JIRA, and PHP frameworks, utilizing remote code executio…
iot
botnet
credential theft
CVE-2024-4577
vulnerability exploitation
CVE-2018-10562
CVE-2018-10561
androxgh0st
remote code execution
routers
CVE-2022-1040
mozi
CVE-2022-21587
CVE-2024-36401
CVE-2021-41277
CVE-2023-1389
CVE-2021-26086
CVE-2014-2120
2024-11-12
web servers
persistent access
Published: November 12, 2024
Linked vulnerabilities : CVE-2024-4577 (CVSS 9.8), CVE-2021-41773, CVE-2018-15133, CVE-2017-9841, CVE-2022-1040, CVE-2021-41277, CVE-2018-10562, CVE-2014-2120, CVE-2021-26086, CVE-2024-36401, CVE-2022-21587, CVE-2018-10561, CVE-2023-1389
Downloadable IOCs: 10

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord
Published: October 22, 2024
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-40766 (CVSS 9.8), CVE-2024-40711 (CVSS 9.8), CVE-2023-27532, CVE-2023-20269, CVE-2020-3259, CVE-2023-48788, CVE-2023-20263
Downloadable IOCs: 37

From Automation to Exploitation: The Growing Misuse of Selenium Grid for Cryptomining and Proxyjacking

Two campaigns targeting Selenium Grid, a popular web testing tool, have been identified. The attacks exploit misconfigured instances lacking authentication to deploy cryptominers and proxyjacking tools. The first campaign injects a base64 encoded Python script to download and execute a reverse shel…
cryptomining
vulnerability exploitation
2024-09-17
tor
proxyjacking
perfcc
iproyal pawns
gsocket
traffmonetizer
selenium grid
Published: September 17, 2024
Linked vulnerabilities : CVE-2021-4043
Downloadable IOCs: 18

The Nanshou Campaign - Hackers' Arsenal Grows Stronger

This comprehensive analysis details a sophisticated cyber campaign targeting over 50,000 Windows servers worldwide, primarily in the healthcare, telecommunications, media, and IT sectors. The campaign exploited vulnerabilities in MS-SQL and phpMyAdmin, dropping advanced payloads like crypto-miners …
privilege escalation
vulnerability exploitation
2024-09-16
smominru
CVE-2014-4113
database servers
kernel rootkit
crypto-miner
Published: September 16, 2024
Linked vulnerabilities : CVE-2014-4113
Downloadable IOCs: 28

Examining Water Infection Routine Leading to an XMRig Cryptominer

This report details the multi-stage loading technique utilized by the threat actor Water Sigbin to deliver the PureCrypter loader and XMRig cryptocurrency miner. The actor exploits vulnerabilities in Oracle WebLogic servers, employing fileless execution tactics like DLL reflective and process injec…
obfuscation
xmrig
purecrypter
cryptominer
CVE-2023-21839
CVE-2017-3506
2024-06-28
vulnerability exploitation
multi-stage loading
Published: June 28, 2024
Linked vulnerabilities : CVE-2023-21839, CVE-2017-3506
Downloadable IOCs: 13
Click here to see more Attack Reports