In a disturbing development for cybersecurity, a campaign attributed to unidentified threat actors has emerged, focusing primarily on organizations in Japan since January 2025. This malicious initiative exploits a vulnerability known as CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation on Windows systems, as reported by Cisco Talos researcher Chetan Raghuprasad. The exploit serves as the initial access point for attackers seeking to infiltrate victim networks.
The adversaries are notably utilizing plugins from a publicly available Cobalt Strike kit named ‘TaoWu’ to conduct their post-exploitation maneuvers. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce, all crucial components of Japan’s economy. Once the attackers gain access through the CVE-2024-4577 vulnerability, they proceed to run PowerShell scripts that execute Cobalt Strike reverse HTTP shellcode, allowing them persistent remote access to compromised endpoints.
The attackers systematically conduct reconnaissance, privilege escalation, and lateral movement through a variety of tools such as JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt. Additional persistence is established via modifications to the Windows Registry and the creation of scheduled tasks and custom services. To maintain operational stealth, the attackers employ wevtutil commands to erase event logs, effectively covering their tracks in the security, system, and application logs of Windows systems.
Raghuprasad highlighted that the campaign escalates to the execution of Mimikatz commands, targeting sensitive information such as passwords and NTLM hashes stored in the memory of intruded machines. The culmination of these attacks sees threat actors successfully exfiltrating critical credentials, thereby compromising the integrity of the organizations involved.
Further investigations into the command-and-control (C2) servers associated with the Cobalt Strike framework have revealed a significant oversight: the attackers left directory listings open on the internet. This exposure provides insight into a range of adversarial tools and frameworks hosted on Alibaba cloud servers, which could be leveraged for future assaults.
Among the tools identified are the Browser Exploitation Framework (BeEF), designed for executing commands within browser contexts, and Viper C2, a modular framework allowing remote command execution along with the generation of Meterpreter reverse shell payloads. Additionally, Blue-Lotus, a JavaScript webshell framework, facilitates various attacks, including cross-site scripting and browser cookie theft.
Importantly, the motivations of the attackers appear to extend beyond mere credential harvesting. Evidence of activities aimed at achieving SYSTEM-level privilege and establishing long-term persistence suggests a broader strategy for future attacks, raising concerns for organizations operating within the affected sectors.
As cybersecurity threats grow increasingly sophisticated, understanding tactics from the MITRE ATT&CK framework, such as initial access, persistence, privilege escalation, and lateral movement, will be vital for organizations. Continuous vigilance, robust security protocols, and the sharing of threat intelligence can mitigate risks associated with such emerging threats.
