A recent malicious campaign has targeted organizations in Japan, starting in January 2025, with the perpetrators linked to an unidentified threat group. Exploiting a vulnerability known as CVE-2024-4577, which affects PHP-CGI on Windows systems, the attackers were able to infiltrate victim machines and execute PowerShell scripts. To maintain control over the compromised systems, the threat actors utilized the Cobalt Strike kit, specifically leveraging the “TaoWu” plugin for post-exploitation activities.
Upon gaining initial access, the attackers deployed reverse HTTP shellcode payloads through PowerShell scripts, establishing persistent remote access to the compromised machines. They proceeded with reconnaissance, privilege escalation, and lateral movement using various tools such as JuicyPotato, RottenPotato, and SweetPotato. These tools facilitated the escalation of privileges and enabled the attackers to navigate the network in search of additional targets. To avoid detection, the attackers implemented tactics like creating custom services, modifying the Windows Registry, and scheduling tasks to ensure their persistence in the compromised environment.
In an effort to cover their tracks, the threat actors took steps to erase event logs from the victim’s machine. By issuing wevtutil commands, they cleared security, system, and application logs to maintain a low profile. Following this, the attackers utilized Mimikatz commands to extract passwords and NTLM hashes from the memory of the compromised system. These stolen credentials were then sent back to the attackers, providing them with valuable access to the resources and network of the targeted organization.
Further investigation into the Cobalt Strike command-and-control servers uncovered publicly accessible directories containing a range of adversarial tools. Hosted on Alibaba cloud servers, these tools included BeEF, Viper C2, and Blue-Lotus, enabling the threat actors to execute commands, engage in cross-site scripting attacks, and pilfer browser cookies. The existence of these tools indicates that the attackers may have broader objectives beyond just harvesting credentials, potentially paving the way for more extensive and sophisticated attacks in the future. With access to various adversarial frameworks, the attackers have increased their capabilities and the likelihood of launching further exploitations.
The revelation of this malicious campaign underscores the ongoing threat of cyber attacks targeting organizations, highlighting the importance of robust cybersecurity measures to detect, prevent, and mitigate such incidents. As technology continues to advance, it is essential for businesses and entities to remain vigilant and proactive in safeguarding their networks and data from malicious actors seeking to exploit vulnerabilities for nefarious purposes.