Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025.
“The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines,” Cisco Talos researcher Chetan Raghuprasad said in a technical report published Thursday.
“The attacker utilizes plugins of the publicly available Cobalt Strike kit ‘TaoWu’ for-post exploitation activities.”
Targets of the malicious activity encompass companies across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan.
It all starts with the threat actors exploiting the CVE-2024-4577 vulnerability to gain initial access and run PowerShell scripts to execute the Cobalt Strike reverse HTTP shellcode payload to grant themselves persistent remote access to the compromised endpoint.
The next step entails carrying out reconnaissance, privilege escalation, and lateral movement using tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt. Additional persistence is established via Windows Registry modifications, scheduled tasks, and bespoke services using the plugins of the Cobalt Strike kit called TaoWu.
“To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs,” Raghuprasad noted. “Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.”
The attacks culminate with the hacking crew stealing passwords and NTLM hashes from the infected hosts. Further analysis of the command-and-control (C2) servers associated with the Cobalt Strike tool has revealed that the threat actor left the directory listings accessible over the internet, thereby exposing the full suite of adversarial tools and frameworks hosted on the Alibaba cloud servers.
Notable among the tools are listed below –
- Browser Exploitation Framework (BeEF), a publicly available pentesting software for executing commands within the browser context
- Viper C2, a modular C2 framework that facilitates remote command execution and generation of Meterpreter reverse shell payloads
- Blue-Lotus, a JavaScript webshell cross-site scripting (XSS) attack framework that enables the creation of JavaScript web shell payloads to conduct XSS attacks, capture screenshots, obtain reverse shell, steal browser cookies, and create new accounts in the Content Management System (CMS)
“We assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks,” Raghuprasad said.
