Cyber Espionage Campaign Leveraging Web Server Exploits and Credential Theft Tools

-

Security analysts have uncovered an ongoing cyber campaign that has been targeting organizations in multiple Asian regions, particularly across South, Southeast, and East Asia. The attacks have affected entities operating in critical sectors such as aviation, energy, government services, law enforcement, pharmaceuticals, telecommunications, and technology.

Researchers have grouped this activity under a newly identified threat cluster referred to as CL-UNK-1068. Based on the behavior observed during the attacks, experts believe the operations are primarily motivated by cyber espionage, although the possibility of other objectives such as financial gain has not been completely dismissed.

Initial Compromise Through Web Servers

In many of the investigated incidents, the attackers gained their initial foothold by exploiting vulnerabilities in publicly accessible web servers. Once access was obtained, the attackers deployed web shells that allowed them to remotely interact with the compromised systems.

Among the tools used for this purpose were web shells such as Godzilla and AntSword, which enable attackers to execute commands, upload files, and maintain control over the infected servers. Additionally, a Linux-based backdoor known as Xnote was observed in some compromised environments.

To maintain long-term access and facilitate communication between compromised machines and attacker-controlled infrastructure, the threat actors also used FRP (Fast Reverse Proxy). This tool allows them to tunnel network traffic and bypass typical network restrictions.

Movement Inside the Network

After gaining access to the initial server, the attackers attempted to explore the internal network and locate systems containing valuable data. This process often involved searching for application files and configuration data stored on web servers.

A common location targeted during these searches was the wwwroot directory used by Windows-based web servers. Files frequently targeted by the attackers included configuration and application files such as .config, .aspx, .asmx, and dynamic libraries.

These files can contain sensitive information such as connection strings, credentials, or internal application logic, which can help attackers expand their access further within the organization’s infrastructure.

Data Collection and Extraction

The attackers were also observed collecting different types of files from compromised systems. These included browser activity records, spreadsheet files, CSV documents, and database backups stored on Microsoft SQL Server environments.

Instead of transferring stolen data directly over the network, the attackers sometimes used techniques designed to reduce the likelihood of detection. For instance, collected files were first compressed using WinRAR and then encoded using Base64 with the Windows utility certutil.

The encoded content could then be displayed through the web shell interface, allowing the attackers to retrieve the data manually. This approach helps avoid triggering traditional data exfiltration monitoring mechanisms.

Credential Harvesting Techniques

Another important part of the attack involved obtaining login credentials from compromised machines. To achieve this, the attackers deployed tools capable of extracting authentication data from system memory and login processes.

One of the main tools used was Mimikatz, which is widely known for its ability to recover passwords, hashes, and authentication tokens from Windows systems.

Other utilities observed in the campaign included LsaRecorder, which records credentials during authentication events, as well as memory analysis tools such as Volatility Framework and DumpItForLinux. The attackers also attempted to extract credentials stored in SQL Server Management Studio, enabling them to access databases and other systems.

Final Observations

This campaign demonstrates how threat actors combine multiple techniques to maintain stealth and persistence inside compromised networks. By exploiting web servers, installing remote access tools, collecting credentials, and using discreet methods to retrieve stolen data, attackers can remain undetected for extended periods.

The use of both legitimate system utilities and publicly available offensive tools further complicates detection efforts, highlighting the importance of continuous monitoring and strong security controls in organizations that manage critical infrastructure.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more