Researchers identified an ongoing attack campaign targeting organizations in Japan across sectors like technology, telecommunications, education, entertainment, and e-commerce. Active since at least January 2025, the attacker exploits CVE-2024-4577, a critical PHP-CGI remote code execution (RCE) vulnerability in Windows environments, to gain initial access. Post-compromise, the attacker uses Cobalt Strike TaoWu plugins and a toolset hosted on Alibaba Cloud, enabling persistence, credential theft, and lateral movement across compromised networks.
The attack leverages CVE-2024-4577, exploiting the PHP-CGI implementation on Windows servers. This vulnerability stems from Windows' "Best-Fit" behavior in handling code pages, which allows malformed inputs to be misinterpreted as PHP options. Public exploit scripts, like PHP-CGI_CVE-2024-4577_RCE.py, automate the exploitation, sending crafted POST requests to vulnerable URLs. If the target is exploitable, attackers inject PHP code that triggers PowerShell-based payload retrieval from a command-and-control (C2) server. This process results in Cobalt Strike reverse HTTP shellcode being loaded directly into memory, establishing remote access.
Once inside, the attacker performs extensive post-exploitation using TaoWu plugins. Privilege escalation is achieved through "Potato" exploits (JuicyPotato, RottenPotato, SweetPotato), allowing SYSTEM-level access. Persistence is established by modifying registry keys, creating scheduled tasks, and deploying malicious services using tools like sharpTask.exe, SharpHide.exe, and SharpStay.exe. The attacker also erases Windows event logs (wevtutil), performs reconnaissance with fscan.exe and Seatbelt.exe, and leverages SharpGPOAbuse.exe to weaponize Group Policy Objects for lateral movement. Finally, credentials are dumped via Mimikatz and exfiltrated over the established C2 channel.