Ethical Hacking News
A critical vulnerability in PHP-CGI has been exploited by threat actors from unknown origins to target organizations in Japan. The attackers have stolen sensitive data such as passwords and NTLM hashes, and left directory listings of their tools and frameworks accessible over the internet. This malicious campaign highlights the importance of keeping software up-to-date and using robust security measures to protect against such threats.
Threat actors from unknown origins have been linked to a malicious campaign targeting organizations in Japan since January 2025. The attackers exploited the vulnerability CVE-2024-4577, which is a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines. The attackers utilized plugins from the publicly available Cobalt Strike kit 'TaoWu' for post-exploitation activities. The attack culminated in the theft of sensitive data such as passwords and NTLM hashes. The attackers also left directory listings of their tools and frameworks accessible over the internet, revealing the full suite of adversarial tools and frameworks hosted on Alibaba cloud servers.
Threat actors from unknown origins have been linked to a malicious campaign that has been targeting organizations in Japan since January 2025. The attackers exploited the vulnerability CVE-2024-4577, which is a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.
"The attacker has utilized plugins of the publicly available Cobalt Strike kit 'TaoWu' for post-exploitation activities," said Cisco Talos researcher Chetan Raghuprasad in a technical report published Thursday. The attackers then carried out reconnaissance, privilege escalation, and lateral movement using tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt.
In addition to these tactics, the threat actors established persistence on the compromised endpoint by modifying the Windows Registry, scheduling tasks, and utilizing bespoke services through the plugins of the Cobalt Strike kit called TaoWu.
To maintain stealth, the attackers erased event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs. Furthermore, they executed Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim's machine.
The attacks culminate with the hacking crew stealing passwords and NTLM hashes from the infected hosts. A thorough analysis of the command-and-control (C2) servers associated with the Cobalt Strike tool revealed that the threat actor left the directory listings accessible over the internet, thereby exposing the full suite of adversarial tools and frameworks hosted on Alibaba cloud servers.
Among these tools are Browser Exploitation Framework (BeEF), a publicly available pentesting software for executing commands within the browser context; Viper C2, a modular C2 framework that facilitates remote command execution and generation of Meterpreter reverse shell payloads; and Blue-Lotus, a JavaScript webshell cross-site scripting (XSS) attack framework that enables the creation of JavaScript web shell payloads to conduct XSS attacks, capture screenshots, obtain reverse shell, steal browser cookies, and create new accounts in the Content Management System (CMS).
"We assess with moderate confidence that the attacker's motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks," Raghuprasad noted.
The attackers exploited a PHP-CGI vulnerability to gain initial access to victim machines. They then utilized plugins from the publicly available Cobalt Strike kit 'TaoWu' for post-exploitation activities. The attack culminated in the theft of passwords and NTLM hashes from the infected hosts, as well as other adversarial tools and frameworks being hosted on Alibaba cloud servers.
Threat actors have been exploiting a PHP-CGI vulnerability to gain initial access to victim machines, ultimately leading to the theft of sensitive data such as passwords and NTLM hashes. The attackers also left directory listings of their tools and frameworks accessible over the internet, revealing the full suite of adversarial tools and frameworks hosted on Alibaba cloud servers.
Threat actors from unknown origins have been linked to a malicious campaign targeting organizations in Japan since January 2025. The attackers exploited the vulnerability CVE-2024-4577, which is a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.
The threat actors utilized plugins from the publicly available Cobalt Strike kit 'TaoWu' for post-exploitation activities. The attack culminated in the theft of sensitive data such as passwords and NTLM hashes. The attackers also left directory listings of their tools and frameworks accessible over the internet, revealing the full suite of adversarial tools and frameworks hosted on Alibaba cloud servers.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-PHP-CGI-Exposed-A-Malicious-Campaign-Targeting-Japans-Tech-and-E-Commerce-Sectors-ehn.shtml
https://thehackernews.com/2025/03/php-cgi-rce-flaw-exploited-in-attacks.html
https://nvd.nist.gov/vuln/detail/CVE-2024-4577
https://www.cvedetails.com/cve/CVE-2024-4577/
https://blog.talosintelligence.com/new-persistent-attacks-japan/
https://www.hendryadrian.com/unmasking-the-new-persistent-attacks-on-japan/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win64.FScan.F
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HackTool.Win32.FScan.C
https://beefproject.com/
https://www.cyberly.org/en/how-do-you-use-beef-for-malware-distribution-through-browser-vulnerabilities/index.html
https://blog.talosintelligence.com/arid-viper-mobile-spyware/
https://cyberpress.org/chinese-hackers-toolkit-and-activity-history-exposed/
https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3435305/nsa-releases-guide-to-mitigate-blacklotus-threat/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/BlackLotus!MSR
Published: Thu Mar 6 23:24:11 2025 by llama3.2 3B Q4_K_M
