Researchers identified an ongoing attack campaign targeting organizations in Japan across sectors like technology, telecommunications, education, entertainment, and e-commerce. Active since at least January 2025, the attacker exploits CVE-2024-4577, a critical PHP-CGI remote code execution (RCE) vulnerability in Windows environments, to gain initial access. Post-compromise, the attacker uses Cobalt Strike TaoWu plugins and a toolset hosted on Alibaba Cloud, enabling persistence, credential theft, and lateral movement across compromised networks.
The attack leverages CVE-2024-4577, exploiting the PHP-CGI implementation on Windows servers. This vulnerability stems from Windows' "Best-Fit" behavior in handling code pages, which allows malformed inputs to be misinterpreted as PHP options. Public exploit scripts, like PHP-CGI_CVE-2024-4577_RCE.py
, automate the exploitation, sending crafted POST requests to vulnerable URLs. If the target is exploitable, attackers inject PHP code that triggers PowerShell-based payload retrieval from a command-and-control (C2) server. This process results in Cobalt Strike reverse HTTP shellcode being loaded directly into memory, establishing remote access.
Once inside, the attacker performs extensive post-exploitation using TaoWu plugins. Privilege escalation is achieved through "Potato" exploits (JuicyPotato, RottenPotato, SweetPotato), allowing SYSTEM-level access. Persistence is established by modifying registry keys, creating scheduled tasks, and deploying malicious services using tools like sharpTask.exe
, SharpHide.exe
, and SharpStay.exe
. The attacker also erases Windows event logs (wevtutil
), performs reconnaissance with fscan.exe
and Seatbelt.exe
, and leverages SharpGPOAbuse.exe to weaponize Group Policy Objects for lateral movement. Finally, credentials are dumped via Mimikatz and exfiltrated over the established C2 channel.