Unmasking the new persistent attacks on Japan

SUMMARY :

An unknown attacker has been targeting organizations in Japan since January 2025, exploiting CVE-2024-4577, a remote code execution vulnerability in PHP-CGI on Windows. The attacker uses the Cobalt Strike kit 'TaoWu' for post-exploitation activities, including reconnaissance, privilege escalation, persistence establishment, and credential theft. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attack involves exploiting the vulnerability, executing PowerShell scripts, and using various tools for system compromise. The attacker's techniques are similar to those of the 'Dark Cloud Shield' group, but attribution remains uncertain. A pre-configured installer script found on the C2 server deploys multiple adversarial tools and frameworks, indicating potential for future attacks.

OPENCTI LABELS :

cobalt strike,powershell,credential theft,persistence,japan,cve-2024-4577,php-cgi,taowu


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Unmasking the new persistent attacks on Japan