Since January 2025, a campaign has been targeting multiple sectors in Japan, exploiting the CVE-2024-4577 vulnerability in PHP-CGI on Windows. Attackers gain initial access using this flaw, deploy Cobalt Strike for post-exploitation, and engage in reconnaissance, privilege escalation, and lateral movement using various tools. To avoid detection, they erase event logs and ultimately aim to steal sensitive credentials. This operation highlights the sophistication of the threat actors and the vulnerabilities in systems across diverse industries.
The attacker has exploited the vulnerability CVE-2024-4577 in PHP-CGI on Windows to gain access and execute reverse payloads for persistent control.
Many sectors including technology, telecommunications, and education in Japan have been targeted, signaling a broad campaign by unknown threat actors.
After gaining control, attackers utilize Cobalt Strike plugins to conduct reconnaissance, escalate privileges, and maintain a persistent presence within compromised systems.
Stealth operations include erasing event logs to cover their tracks while extracting sensitive credentials and NTLM hashes from compromised machines.
Collection
[
|
...
]