A malicious campaign has been targeting organizations in Japan since January 2025, attributed to an unknown threat group. The attackers exploited the CVE-2024-4577 vulnerability, a remote code execution flaw in PHP-CGI on Windows systems. This flaw allowed the threat actors to gain initial access to victim machines, enabling the execution of PowerShell scripts. The attackers used the publicly available Cobalt Strike kit, specifically the “TaoWu” plugin, for post-exploitation activities to maintain control.
Once the attackers gained access, they deployed reverse HTTP shellcode payloads using PowerShell scripts to provide persistent remote access. They conducted reconnaissance, privilege escalation, and lateral movement using tools like JuicyPotato, RottenPotato, and SweetPotato. These tools allowed them to escalate privileges and explore the network for additional targets. Persistence was further ensured through custom services, Windows Registry modifications, and scheduled tasks. This ensured the attackers remained undetected in the compromised environment.
In addition to lateral movement and privilege escalation, the attackers removed traces of their actions by erasing event logs from the victim’s machine.
They used wevtutil commands to clear the security, system, and application logs, maintaining stealth. Following this, the attackers executed Mimikatz commands to dump passwords and NTLM hashes from the compromised system’s memory. The stolen credentials were then exfiltrated to the attackers, providing them with valuable access to the victim’s resources and network.
Further analysis of the Cobalt Strike command-and-control servers revealed that directories containing the full suite of adversarial tools were publicly accessible.
These tools, hosted on Alibaba cloud servers, included BeEF, Viper C2, and Blue-Lotus, which enabled the attackers to execute commands, perform cross-site scripting (XSS) attacks, and steal browser cookies. The discovery of these tools suggests that the attackers’ motives extend beyond credential harvesting, with the possibility of more extensive attacks in the future. The attackers have gained significant access to various adversarial frameworks, increasing the likelihood of future exploitation.
