In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery commands, scan the internal network with Fscan, and escalate privileges with PowerLadon’s SweetPotato exploit to escape the low-privilege w3wp.exe context. Evidence shows the same infrastructure distributes an ELF build of WogRAT, tying the intrusion to an actor previously seen abusing the aNotepad service, and hinting at a cross-platform focus.
With SYSTEM-level access secured, the attackers install dual command-and-control backdoors—SuperShell (Go, reverse shell) and MeshAgent (remote desktop & file-transfer features)—plus a generic proxy tool, giving them interactive control and RDP/VNC access. They harvest credentials via Network Password Dump, then pivot laterally using WMIExec and Ladon modules (e.g., Runas, MssqlCmd) to reach other Windows hosts and MS-SQL servers.
In June 2025 researchers documented a campaign that breaches vulnerable South-Korean IIS web servers—and sometimes adjacent Linux hosts—by uploading ASP/ASPX web shells through file-upload flaws. Once the shell is in place, the operators fan out: they run basic host discovery commands, scan the internal network with Fscan, and escalate privileges with PowerLadon’s SweetPotato exploit to escape the low-privilege w3wp.exe context. Evidence shows the same infrastructure distributes an ELF build of WogRAT, tying the intrusion to an actor previously seen abusing the aNotepad service, and hinting at a cross-platform focus.
With SYSTEM-level access secured, the attackers install dual command-and-control backdoors—SuperShell (Go, reverse shell) and MeshAgent (remote desktop & file-transfer features)—plus a generic proxy tool, giving them interactive control and RDP/VNC access. They harvest credentials via Network Password Dump, then pivot laterally using WMIExec and Ladon modules (e.g., Runas, MssqlCmd) to reach other Windows hosts and MS-SQL servers.