Ddos 
Image: Cisco Talos
A sophisticated cyberattack campaign targeting organizations across multiple industries in Japan has been uncovered by Cisco Talos. Active since at least January 2025, the attacker exploits a remote code execution (RCE) vulnerability in PHP-CGI on Windows (CVE-2024-4577) to gain unauthorized access, followed by extensive post-exploitation activities, credential theft, and persistent backdoor deployments.
The campaign primarily focuses on organizations across various sectors in Japan, including technology, telecommunications, entertainment, education, and e-commerce. The attackers leverage a publicly available exploit script targeting CVE-2024-4577, an RCE flaw in the PHP-CGI implementation of PHP on Windows. This vulnerability allows attackers to execute arbitrary PHP code on servers running Apache with a vulnerable PHP-CGI setup.
Upon successful exploitation, the attackers deploy a PowerShell script to establish a reverse HTTP shellcode using the “TaoWu” Cobalt Strike kit. This grants them remote access to the compromised machine, enabling them to conduct further malicious activities.
Once inside a victim’s network, the attackers engage in a range of post-exploitation activities, including:
- Privilege Escalation: They utilize exploits like Juicy Potato, Rotten Potato, and SweetPotato to gain SYSTEM-level privileges.
- Persistence: They modify registry keys, add scheduled tasks, and create malicious services to maintain persistent access to the compromised machine.
- Defense Evasion: They erase event logs using wevtutil commands to cover their tracks and hinder detection.
- Lateral Movement: They employ tools like fscan.exe and Seatbelt.exe to map the network and identify potential targets for lateral movement. They also attempt to abuse Group Policy Objects using SharpGPOAbuse.exe to execute malicious PowerShell scripts across the network.
- Credential Theft: They execute Mimikatz commands to steal passwords and NTLM hashes from the victim’s machine’s memory.
The attackers utilize two command-and-control (C2) servers hosted on Alibaba cloud, running the Cobalt Strike team server. Notably, they inadvertently exposed directory listings and access to the root folder of one C2 server, revealing crucial information about their infrastructure and tooling.
Among the discovered artifacts was a pre-configured installer script, “LinuxEnvConfig.sh,” downloaded from a repository on the Gitee platform. This script facilitates the setup of various offensive security frameworks and tools, including Vulfocus, Asset Reconnaissance Lighthouse (ARL), Viper C2, Starkiller, BeEF, and Blue-Lotus, packaged as Docker containers in an Alibaba cloud container registry.
While the attackers’ identity remains unknown, Cisco Talos notes similarities between their tactics and those used by the hacker group “Dark Cloud Shield” or “You Dun” in 2024. However, they stop short of attributing the current attacks to this group due to the limited scope of observed activities.
Related Posts:
- Operation Japan’s Cyber Response to Fukushima Decision
- MirrorFace: Unmasking the Chinese Cyber Espionage Group Targeting Japan
- Pro-Russian Threat Actors Launch Coordinated DDoS Attacks Against Japanese Organizations
- Google’s Search Dominance Under Fire in Japan
- Japan Airlines Hit by Cyberattack: Ticket Sales Halted
Donate