Linux Cryptographic Code Flaw Offers Fast Route to Root
A local privilege escalation (LPE) vulnerability, dubbed Copy Fail (CVE-2026-31431), has been identified in the Linux kernel's `authencesn` cryptographic template. This logic flaw allows an unprivileged local user to write four controlled bytes into the page cache of any readable file on a Linux system, which can be leveraged to gain root access by modifying a setuid binary. A 10-line Python script serves as a proof-of-concept, capable of exploiting this vulnerability on nearly all Linux distributions released since 2017. While similar to Dirty Cow and Dirty Pipe, Copy Fail is more broadly applicable and does not require winning a race condition. Although not remotely exploitable on its own, it can be chained with other vulnerabilities like remote code execution or SSH compromise. This high-severity flaw (CVSS 7.8) is particularly concerning for multi-tenant Linux systems, shared-kernel containers, and CI runners, and presents a potential container escape primitive for Kubernetes nodes due to the shared page cache. Major Linux distributions, including Debian, Ubuntu, SUSE, and Red Hat, have begun issuing patches to address this issue, which was discovered by Theori researcher Taeyang Lee.
Severity: Critical
Threat Details and IOCs
| Malware: | Mini Shai-Hulud, Ransomware Evil, REvil, Sha1-Hulud: The Second Coming, Shai-Hulud, Shai-Hulud 2.0, Shai-Hulud 3.0, Sodinokibi, WanaCrypt0r 2.0, WannaCry, WannaCrypt, WCry |
|---|---|
| CVEs: | CVE-2016-5195, CVE-2022-0847, CVE-2026-31431 |
| Technologies: | Amazon Linux, Arch Linux, Debian, Docker, Fedora, GitHub Actions, GitLab, Jenkins, Kubernetes, Linux, Linux kernel, Red Hat Enterprise Linux, Rocky Enterprise Software Foundation Rocky Linux, Rocky Linux, SUSE Linux Enterprise, Ubuntu |
| Attacker Domains: | copy[.]fail |
| Attacker URLs: | hxxps[://]copy[.]fail/, hxxps[://]copy[.]fail/#contact, hxxps[://]copy[.]fail/exp, hxxps[://]copy[.]fail/public/demo.mp4, hxxps[://]github[.]com/mhdgning131/CVE-2026-31431_poc.git, hxxps[://]github[.]com/theori-io/copy-fail-CVE-2026-31431, hxxps[://]github[.]com/theori-io/copy-fail-CVE-2026-31431/blob/main/copy_fail_exp.py, hxxps[://]www[.]openwall[.]com/lists/oss-security/2026/04/29/23, hxxps[://]xint[.]io/blog/copy-fail-linux-distributions |
| Attacker Hashes: | 1111111111111111111111111111111111111111111111111111111111111111, 19991118784b8969881432414811418151851111, 299c53293f32a67311514f5338125338, 72548b093ee38a6d4f2a19e6ef1948ae05c181f7, a567d09b15f6e4440e70c9f2aa8edec8ed59f53301952df05c719aa3911687f9 |
| Victim Industries: | Cloud Infrastructure, Government, Healthcare, Information Technology, Software, Technology Hardware, Web Hosting |
| Victim Countries: | Germany, Luxembourg, Norway, South Korea, United Kingdom, United States |
Mitigation Advice
- Apply the latest kernel security patches for CVE-2026-31431 to all affected Linux distributions, including Debian, Ubuntu, SUSE, and Red Hat.
- Initiate authenticated scans using your vulnerability management tool across all Linux hosts to identify systems vulnerable to CVE-2026-31431.
- Prioritize patching for systems identified as multi-tenant hosts, container hosts (especially Kubernetes nodes), and CI/CD runners to mitigate the highest-risk scenarios first.
- Configure your SIEM or log management platform to generate alerts for kernel log entries that contain errors referencing 'algif_aead' or 'AEAD socket operations' to detect potential exploitation of CVE-2026-31431.
Compliance Best Practices
- Investigate and pilot sandboxed container technologies, such as gVisor or Firecracker, for workloads that process untrusted input to provide stronger kernel isolation and reduce the risk of container escapes from kernel vulnerabilities.
- Establish a recurring program to review and enforce the principle of least privilege for user and service accounts on all Linux systems, particularly on shared or multi-tenant hosts.
- Evaluate and deploy a kernel runtime integrity monitoring solution to detect unauthorized in-memory modifications and suspicious kernel-level activity, providing a layer of defense against memory-based exploits like 'Copy Fail'.
- Implement a formal, recurring security review and hardening process for all external-facing services, including web applications, CI/CD systems, and remote access points like SSH, to minimize the risk of an initial compromise.
https://buaq.net/go-413697.html
https://cyberinsider.com/copy-fail-gives-root-access-to-all-linux-systems-via-732-byte-exploit/
https://cyberpress.org/linux-kernel-0-day-copy-fail/
https://cyberveille.esante.gouv.fr/alertes/linux-cve-2026-31431-2026-04-30
https://gbhackers.com/linux-kernel-0-day-copy-fail-grants-root-access-major-distros/
https://github.com/NorskHelsenett/copy-fail-destroyer
https://github.com/rootsecdev/cve_2026_31431
https://hackread.com/linux-kernel-vulnerability-copy-fail-full-root-access/
https://linuxiac.com/copy-fail-linux-kernel-flaw-allows-local-users-to-gain-root/
https://orca.security/resources/blog/cve-2026-31431-linux-kernel-copy-fail-privilege-escalation/
https://securityonline.info/linux-kernel-copy-fail-root-exploit-poc-public-disclosure/
https://sploitus.com/exploit?id=2701B38E-308B-578E-A22D-1538782B2A0C
https://sploitus.com/exploit?id=FC69D23B-11A0-5C50-8340-942AD0802BB6
https://thehackernews.com/2026/04/new-linux-copy-fail-vulnerability.html
https://www.ctfiot.com/306860.html
https://www.cyberkendra.com/2026/04/a-732-byte-python-script-can-get-root.html
https://www.mend.io/blog/linux-copy-fail-lpe-cve-2026-31431/
https://www.openwall.com/lists/oss-security/2026/04/30/10
https://www.securityweek.com/copy-fail-logic-flaw-in-linux-kernel-enables-system-takeover/
https://www.theregister.com/2026/04/30/linux_cryptographic_code_flaw/
cPanel, WHM Emergency Update Fixes Critical Auth Bypass Bug
A critical authentication bypass vulnerability, identified as CVE-2026-41940 with a severity score of 9.8, affects cPanel and WebHost Manager (WHM) versions prior to the latest emergency updates. This flaw permits unauthenticated access to the control panel, enabling attackers to gain full control over hosting accounts, including websites, data, and email, or even the entire server if WHM is compromised. Such access allows for planting backdoors, redirecting users to malicious sites, data theft, sending spam, or establishing persistent server access for various illicit activities. Patched versions include 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.136.0.5, and 11.134.0.20. Administrators are advised to immediately apply the update by executing the command `/scripts/upcp –force`, and those on unsupported versions should upgrade to a supported release.
Severity: Critical
Threat Details and IOCs
| CVEs: | CVE-2026-41940 |
|---|---|
| Technologies: | cPanel, Linux |
| Attacker IPs: | 100[.]96[.]3[.]23 |
| Attacker URLs: | /cpsess0228251236/, /cpsess0228251236/json-api/version, / HTTP/1.1, hxxps[://]github[.]com/debugactiveprocess/cPanel-WHM-AuthBypass-Session-Checker, hxxps[://]github[.]com/Sachinart/CVE-2026-41940-cpanel-0day, hxxps[://]github[.]com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py, /json-api/version, /login/?login_only=1, /scripts2/listaccts |
| Victim Industries: | Computing Infrastructure Providers, Data Processing, Web Hosting, and Related Services, Education, Healthcare, Information Technology, Internet & Cloud Services, Managed Service Providers, Software, Web Hosting |
| Victim Countries: | Australia, Austria, Barbados, Belgium, Brazil, Bulgaria, Canada, China, Congo, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, India, Indonesia, Ireland, Israel, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Nigeria, Poland, Portugal, Romania, Slovakia, Slovenia, South Africa, Spain, Sweden, United Kingdom, United States |
Mitigation Advice
- On all servers running cPanel and WHM, execute the command `/scripts/upcp –force` to force an update to a patched version.
- Identify all servers running unsupported versions of cPanel and WHM and upgrade them to a supported version immediately to enable security patching.
- If patching cannot be performed immediately, block inbound traffic from the internet to TCP ports 2083, 2087, 2095, and 2096 on all servers running cPanel and WHM.
- Review cPanel, WHM, and server authentication logs for any unexpected or unauthorized logins, especially from unfamiliar IP addresses, that occurred before the patch was applied.
- Scan all web-accessible directories on cPanel and WHM servers for newly created or recently modified files, looking for potential web shells or other backdoors.
Compliance Best Practices
- Establish and enforce a patch management policy that defines timelines for applying critical security updates to all internet-facing systems, including web hosting control panels like cPanel and WHM.
- Configure network firewalls to restrict access to administrative interfaces, including cPanel (port 2083) and WHM (port 2087), to only trusted IP addresses, such as corporate VPNs or specific administrative workstations.
- Implement a routine, authenticated vulnerability scanning program to regularly assess all servers, including those running cPanel and WHM, to identify missing patches and other security weaknesses.
- Develop and maintain a comprehensive inventory of all hardware and software assets, including details on software versions like cPanel/WHM, to quickly identify systems affected by future vulnerabilities.
- Implement network segmentation to isolate web hosting environments from internal corporate networks and to separate different hosting clients from each other, limiting the potential impact of a server compromise.
https://arcticwolf.com/resources/blog/cve-2026-41940/
https://buaq.net/go-413696.html
https://cyberinsider.com/critical-cpanel-zero-day-auth-bypass-exploited-since-february/
https://cyberpress.org/cpanel-0-day-auth-bypass-exploited/
https://cyberscoop.com/cpanel-authentication-bypass-vulnerability-cve-2026-41940-exploited/
https://cyberveille.esante.gouv.fr/alertes/cpanel-cve-2026-41940-2026-04-30
https://exploit-intel.com/vuln/CVE-2026-41940
https://gbhackers.com/attackers-exploit-cpanel-authentication-bypass-0-day/
https://horizon3.ai/attack-research/vulnerabilities/cve-2026-41940/
https://sploitus.com/exploit?id=557FA01A-594C-58C2-A26E-F7295CF2C82F
https://sploitus.com/exploit?id=E414FD2C-33F9-560F-A367-198FB076252F
https://thecyberexpress.com/cpanel-cve-2026-41940-auth-bypass/
https://www.cyberkendra.com/2026/04/cpanel-authentication-bypass-was.html
https://www.esecurityplanet.com/threats/cpanel-vulnerability-exposes-servers-to-takeover/
https://www.hendryadrian.com/cpanel-whm-emergency-update-fixes-critical-auth-bypass-bug/
https://www.securityweek.com/critical-cpanel-whm-vulnerability-exploited-as-zero-day-for-months/
CVE-2026-4670: Improper Authentication Vulnerability in Progress MOVEit Automation [CRITICAL] CVSS 9.8
A critical improper authentication vulnerability, identified as CVE-2026-4670, exists in Progress Software MOVEit Automation, allowing for authentication bypass due to a primary weakness. This flaw affects MOVEit Automation versions from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, and all versions prior to 2024.0.0. With a CVSS v3 score of 9.8, this vulnerability is remotely exploitable without requiring authentication or user interaction (AV:N/AC:L/PR:N/UI:N), and can lead to complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). The issue is categorized under CWE-305 (Authentication Bypass by Primary Weakness) and is considered automatable for exploitation.
Severity: Critical
Threat Details and IOCs
| CVEs: | CVE-2026-4670, CVE-2026-5174, CVE-2026-7420 |
|---|---|
| Technologies: | Progress MOVEit Automation |
| Victim Industries: | Education, Financial Services, Government, Healthcare, Insurance, Manufacturing, Oil & Gas, Professional Services, Technology Hardware |
| Victim Countries: | United States |
Mitigation Advice
- Immediately identify all instances of Progress MOVEit Automation and upgrade them to a patched version (e.g., 2025.0.9, 2024.1.8, or newer) as specified in the vendor advisory.
- If immediate patching is not feasible, restrict all network access to the MOVEit Automation web interface to only trusted IP addresses using a firewall. Deny all access from the public internet.
- Hunt for signs of compromise by reviewing MOVEit Automation audit and access logs for unusual login events, access from unexpected IP addresses, or unauthorized administrative actions.
Compliance Best Practices
- Implement a network segmentation strategy to isolate critical servers like MOVEit Automation into a secure enclave, with strict ingress and egress filtering rules that only permit traffic required for business functions.
- Establish a formal vulnerability management program that includes automated asset discovery, regular vulnerability scanning, risk-based prioritization, and defined service-level agreements (SLAs) for patching.
- Enhance security monitoring by ensuring all critical application logs, including those from MOVEit Automation, are ingested into a central SIEM. Develop and deploy correlation rules to automatically detect and alert on indicators of authentication bypass or other unauthorized activities.
New Wave of DPRK Attacks Uses AI-Inserted npm Malware, Fake Firms, and RATs
North Korean actor Famous Chollima, also known as Shifty Corsair, is conducting a new series of cyberattacks, including the "PromptMink" and "Contagious Interview" campaigns, which leverage AI-generated code, fake companies, and sophisticated supply chain tactics. The PromptMink campaign utilizes malicious npm packages, such as "@validate-sdk/v2" and "@hash-validator/v2," to steal credentials and crypto-wallet information, employing layered dependencies, typosquatting, and Vercel-hosted command-and-control infrastructure. This malware has evolved from JavaScript to Rust-based binaries, targeting Windows, Linux, and macOS, with capabilities to exfiltrate sensitive files, system information, and install SSH keys for persistence. Concurrently, the "Contagious Interview" campaign, encompassing operations like "OtterCookie," "graphalgo," and "Contagious Trader," targets developers through fake job offers and companies such as Veltrix Capital and Blockmerce, distributing Remote Access Trojans (RATs) and malware like OtterCookie. OtterCookie, a JavaScript malware, establishes C2 via Socket.IO WebSocket to steal documents, crypto keys, and clipboard content, while "graphalgo" uses social engineering on platforms like LinkedIn to deliver RATs that ping attackers via Telegram or Slack. These campaigns demonstrate a continuous evolution in techniques, including the "Matryoshka Doll approach" for malware delivery, to compromise developer environments and exfiltrate sensitive data.
Severity: Critical
Threat Details and IOCs
| Malware: | OtterCookie, PromptMink |
|---|---|
| CVEs: | CVE-2026-26188 |
| Technologies: | Amazon Web Services, Apple macOS, GitHub, Linux, Microsoft Windows, Node.js, npm, Python |
| Threat Actors: | FamousChollima, LazarusGroup, ShiftyCorsair, WageMole |
| Attacker Countries: | North Korea |
| Attacker IPs: | 216[.]126[.]237[.]71, 45[.]61[.]161[.]146, 45[.]8[.]22[.]144, 45[.]8[.]22[.]52 |
| Attacker Domains: | api[.]bensaru[.]site, api[.]fivefingerz[.]dev, api[.]mywalletsss[.]store, api[.]soladify[.]fun, api-sub[.]jrodacooker[.]dev, blxrbn[.]com, changelog[.]rest, clob-polymarket[.]com, csec-c2-server[.]onrender[.]com, ghostraper[.]top, ipfs-url-validator[.]vercel[.]app, logger[.]clob[.]health, log[.]pricesheet[.]ink, mywalletsss[.]store, navigatorshub[.]com, polblxpnl[.]space, polygon-rpc[.]com, polymarket-clob[.]com, rpc-amoy[.]polygon[.]technology, validator[.]uno, winstonjs[.]site |
| Attacker URLs: | hxxp[://]validator[.]uno/api/validate/files, hxxp[://]validator[.]uno/api/validate/project-env, hxxp[://]validator[.]uno/api/validate/system-info, httpx[:]//ipfs-url-validator.vercel.app/fetchbs58 |
| Attacker Hashes: | 013e70c7fe6b686d1f94aa120ab71a47670a3fb4, 026d72d0ef5d3155dcf1d3d45430a50bdc5c79d2, 034a86a0619f7fde304f01b24a1a9c4f7d8ea1d6, 0377d83baf324ddf65141f4d7889919343cff004, 03a1d104b84c53eb6b3b84f9c1cc52a5290f163e, 04844ac51016d5890e38e1939f26243ba5c3eae7, 06e17ec20c35dc65631a779cd6ae4afbaa7f7a59, 07f7045655087436fdc048749a534f84d5098579, 08cf15c11032dd1d9f5d1877fb7ca852034adeda, 08d5e153dee672980117382fb170442ff76a073d, 096ec7bb98492bc279d5a5a6bc0f31b089618175, 0c1b26aab551e796bc1d0b76700a3ca1bd4db777, 0d39e7f03ab2c56ce664ae3e14109f8160df130e, 10d7594d36d984a6ebfeec495ceb54cd671716bb, 11438c87e50ebee4c526c3596805f4a8c24cdfc7, 120327b89687349007709f23d719420b141a22a9, 174e58a805422bb63f9e99ac91c7a592e09c8e78, 17c7dd74e3146003072668251612c2aed20ba28a, 17d731b7758fa31584b0af3255335cb8f33a1699, 192f66b67699a8884787136400873d8f33f0c706, 1fac062e33c195a9355ae95a7d7a9fdfa1521c6b, 208d990c7f66a2493dd53ee72a7f95a0d0acd0f0, 2211b8416f78f6b59166d3435f7162da2c6a1c44, 2261cdd08313534fd1f1abdd577e27fb50bd0ce1, 227406a980ac70ad7ffc0baf3dbab6f0e3eae433, 22db901081ea445b40daea33bdd2806c4e8efe6c, 231cb08a15190db1a132d95d9f4eb318f9dd6c6e, 23d7699870adf02af4f6d6e27006a5e44ec176cf, 24669f94c20cad95c8ddffb06d67aef2b64217dd, 26831679e7d20ff95b01168c8b5a3b069b17105c, 28739beef65107f926c0e0404a90425586fe37a0, 2ae5d8242a706b97153ca07a582fabe2319612d2, 2af5d317e64af24675589732b093754eed54fb02, 2d9dc1c95f426af46fd75249f7fe44360d9074d0, 302372cb07a71000fd5ba3e78e409919caecf7b4, 306e183189df75267e88cd294f34fde05ae91222, 336805302c84e5d560eccbb88dd21482bab44f6d, 34065a7d79b46937edcdd33cbb89d67962ff8366, 3578178f0ac3316c21275af6b93241468bfa84fe, 37758f303c97f4e2db1371280d1d875c27964a59, 378f8fdc31d3cde41965584effff8d9a20c980bc, 3af3250907d5d81010f5556e346e24def7cb44e8, 3b675c6b472fff9210ca44f0b7f5a468a98a5395, 3b6ccae910cb7f3ce2251c833a6476e92385176a, 3b770aeaeb3f73f9fc4a718ca2595e1fbf884e55, 3c630831dc84adf8280e98be99ef185e0a500c8a, 3d4eb9a1234721ea783a4c33b7f50b0b95dbf58a, 3e6af356854bcc9f3483da15c2fa6ddd15d8ad64, 3f4f5f850d88d1e12bf13bb9c227b18780b062f8, 4080b35d16d6521ab5e01364ec772a78d1a13bae, 40a5d4269389a62bc92bbe66a479c3239a899cff, 40c2b2b8248bcebb887b59b73f46cd593d5089a2, 4277afad7992cb7c7f12fdb2da0f0ccb96174d30, 428827247b27926393cde5b9772c48bec9f8a7ef, 43c26856ea0c9b9982475987b1f82856feb08a5d, 43dc25f3a65b08636483f20c10f412fbadc5eb54, 454d14d274ea6c04cd1749478a1eda458eb8bdf4, 4818945d96ecd2cf35edd169952c8e5c47bf8527, 4e27323682e670ba8ace370c411eaa88286d2e9a, 4ee49d87fa25f3e00bd2600d0c56eab19161240d, 500b10783412a4f8296e505125980a44bc14c8f1, 51035bbfeb17b301a412877d9b1ff6d1f206ee92, 5311915622520e91c9e8c6fbadc6fe56253f355c, 5370c3c7b4af622602bbb79ed2f7d0e59fdab9e9, 53b3665e9d4d26d86fd76637696becbe65d63e92, 5516f99b00cda686403b86654b65924ea275f7dc, 5752c267b37393d8391ebb3c7f0d08bf1dcabbfa, 592494383b589b8073f76ef8a600fb497874296c, 596b7a3b7980a63bbff9b354ad8b7ba5b0d1d4e9, 59bc1113d3ce9d6a1e63d22bd14e06442a103a6a, 59c100ec04fe840c8acf52324faea27a99c40d0e, 5b18b7f1fa0e55cabbf99c36d68684122beb929e, 5b3047ea948ac8f1973f0ba70370c1a583cc9ee6, 5b3232e2f6015c9effb2eff7a4b84cd78be7aae0, 5cbb6daaffc313493fe86a56d81a94daa90af755, 5d5117c391b102ac8c568ff00573374c9fe5356e, 5d6e3a1fdc9dfcbd743b086f55cb99dd686359fc, 5fe065b6d161dfe92d10bc5b9b68f087f274a9df, 60096860b1eacb993a42ac2352d0f62f5e2b0142, 614bd1fc79923f55a42054e53f4d05b07e5213bc, 6228cfe361538e2d51c6278ecb45366785234818, 622c5f801275df95ec8cac6931a06e2f8b38c7e8, 62580db6fd136787fd4d5fe2550ea228cdfcec63, 63f5f78477a5fd1ba29ca5f473abb7ae113fccd6, 653ab02d9a7d96394120048b424ea82f65f00064, 65a038a696b48ef31d40d7e006fd8678990684aa, 65b283c0575efd2763e23ceb56ff1dc687f64272, 66de6e894f38926069a140417cdca1273fee392d, 66f92590d883ac0cfb31b600c91ad6ff3d58f71e, 67b681f7f1fb55b61283c4d609c24e352cf6ff4c, 6943ff08a7bf9203f0205720d50510558a819e6f, 6a7b0c76a4bc246686982e88c1967be91bf3d0a7, 6aa22d68bfb8b63e20b3f86cffcc848324d19f58, 6b037f7fff58817867a946ca642587d2a27305d2, 6be2ffa8d57eb7a32a818e1035770b4c5fe99e3b, 6c160c957ba73898dbe992bf8ce885be6e4ce2b6, 6de816e20412dec5ac5649e9fc6ac083870af598, 6e4bc7d4ea0ee6f72e0ae1e8c477d24252400730, 6e8a6a50826e593a6cc508b515f5e28d3834995c, 6f1c37fe7d6c0a3786613271cd9694c584ea2d4c, 6f7d4e9cb15b7093eafdafe39ad58bd8d27d275e, 703056fc81edb02867c197e30c29afdaf089fb3f, 717a89a31046d0204109beca262c587d9819e6b2, 718f465ca2ed418854086641b7aba6ea0ed88c08, 7731f2c146b767a2bf3bc406a209c2d4805c4dcf, 77eb751ea08dfec295387a0de755e700b3a45584, 7a49271a4a41c480cd783e82156965f3d61ec52b, 7c69a9e067c6d6f527326f2fddbdf703cb2aed40, 7dded0958ebf70b265584e0acf16d0c507b46459, 7dff597d5967bc879a7e72e750ebde61db66c060, 7e8f9cd56398b7c284fb3dd8ca58d734b7571955, 7edac993e7ab2552b9fd0057ea572716dd5002ce, 7f64b9c8703726380beb808c4d2dce65904682b4, 7fd6e87e62bca1447aca3c47f02a0cc2d03c39bd, 8211171c19e956dfba31e29a6b752e37f4287447, 85355c1b0c8674dddb6d703d90c00190c18ca4c0, 8589ffb556e726f1f1f240cea64c3bf3f121caed, 85a363f57a93b828cb80f28d033a3dd4bcf1a77a, 88634efdee04d3a3c36e0e8046cd4ae8e61a5a4c, 895eb0b37630fff17c2d4172e3681a9338278b2f, 898e5435e1d3ab0e8a6b772222271a0560649055, 8b8d10684401b537f38996e733f4b6593f6744cd, 8b93503acd02b7b9693ff9018c8d7a89a0be9a90, 8c3684c9a0b2b0d0dd4f08dc58859d32811826dc, 8d9995a462bd02b20983f7cb33150152a828c074, 8f41efbc20eecef95f3a41385ad88e6715ec629d, 91540fb4142b2ed9f58ec97d33c6556432e8cb0c, 93227e680630b6b73ea66c00941ffb0dce0932b0, 9372670bd571d95e6e2593e0716f3ebdfdea7c16, 958172bacb3e6db4b9b5872cbdb9e67016d4c96e, 976828ded1eea075834684210663ba72282c1c7b, 982d1ddce4cef2467d5a69b0f9c212896b25e39c, 99dd534fcfa46b7948775143b0242537c5cb2568, 9a55a1b6414e3eae7055bf2c3a95686fe834180b, 9a5bdd7e2754c6db6890fe1fde69fad9d744ab78, 9b322f0999f19710c9826211c5fc2c3c8add3fdb, 9e39401440dc760af4e4c0956dbe951f4eb35387, a2156247b883cff1f16ebde0c532f0b722a11c64, a2701753d612bcdbaa2e602c7225a9c7112e87a9, a40011131d42168dfe886415497c7c00f7a1aa17, a5f92633a10978ccd0bb478ab841c1189335c561, a670425e56c751f4b58d9349e8ce78ad4b454bd2, a8a8655432126374229f4cbf0153b5c154a42bb2, a8ea2bd8dd04445771af90486b30a48b4d7c9108, a94414c982ecae3da85e1fea2b4e5ef9cb39976d, a96597831566c99608ae56ca0c3ccd61f90672f9, aa95ce2d6c940f1cf5f3add0da9686b8807d8959, abfc2f6032441c3e9eb2398c64299d192b1d2a37, ac6502d31fce661397847de65a92b5de68e9063b, ac84d0711877ba15d8851f8cf331bfa14bd8a6b9, acf872edbb397bee642e9a6dfa8febe08973f5ac, ae4571164a473d94bfef561c11b20dd5c02d90eb, ae4fe9f9a4f099de9132eb3346abcdd96dbeb39d, ae59023c2cd7fce2bc9deb923edcbf78f3ab674a, ae8a575289de1cabc43e495dba642dccfe008d87, aec958b1687070c79764db142c475ead8a18c3f6, b13642e8a792087eb8dd8dc9a13e4127f681bd02, b253741f4a928c021d1ec155707c3e43d9b03439, b30eab2fa6e27e2fa64b3053812f094056098c31, b3f899a679b9c1a2c4aa265b5f149f4fa7953c22, b511ea6cb913a9f7dc937825ce197622a2dc1493, b59a4fd4b240ec85d8629cc8f0af97d34d3cbb8f, b8acc3f00e687a1d980f057a9c5aecc5d063320d, ba5be0376063ca328623df4e4a3e158fc81bb61e, ba7f596f53ecd1081f8623869007ec6e07767808, ba843c94aefc6b734236879a09933f1b15a461c0, baa640aad99e479a3c6a3c038ddc9fbd23005053, bab879ff0fbd8406aa1a51358cd3a4ece8b901d5, bbb72614201cf881868abb60b37711f42d05cc66, bc0876e614be35e78b0b7f14e3d1bde7cd74dc18, be49359eb480e89d8cba692e118a45e87b3a6122, be934c08ea33e8612763bd17c9b6752253a65b10, bfe31550f8efaecb03eb8b4ba4646f0a609c6445, c037d81aade6b24960439d5af3a199826f678f0a, c13e68cc5e07a9bb40fbccfabdfeaadef177c25c, c1657e8315bc9840748446bd5de64d1165a5e6ee, c1a41aa7a705153dfbb76f25e8fd1af9fe27aec8, c1d0297ddf0e0df00142de69cfac392a2b86a09e, c2706d6973478efd6b207ebddd70cea0c6a63e4d, c273582ba404e0627aa7b6c94df4ef7d446e0087, c276863fc5202fdf89200519f5b36349a8dff4bb, c395d53f335359d05a356ed1ba30f912f505e662, c57175ba47d4f9b9c88a721c22fec77a630e8c8b, c69ae36113f8369efa11d724ef91e83aa0c11a31, c6e6ecc168901a16b41df94e6b8d6735459a08d1, c74fdd581bf1ff6f0f21a0e7f1a0af52049fcc5a, c7af1d6699423289abe645648c637f77c40fcec6, c8253f3b96f89f17065bdcaa85f9daa2f38814d2, c846a263b6c183b367c18a01463fbb40c4c22138, c967cd2535e07930aeec927678d37f88430d66bd, cbb5b0dd5bf6cd2097a48f0a66208ab3a3843168, cce4758edc7cfd5195f0e7a6aab7a3f9b8efcad8, cf822ef7a0411a4b30805063c435682df593ba2b, d1b71ffe94fde7676de5836f99b2db43f4a9970e, d47e40967f7d2029b62307d23ed6c5f3786f6e52, d4c327bc14d8e7348d74a5130a3b4e6ddbc347a9, d59a354c1cbfb07232e3815a86c035df37137f62, d5af92920998a03c90e04aea75c7d41b33ec5e5c, d5afb9c0ba4856cf45395104e7a44647dc384c11, db61daf2d7d723cf5776861e6271fa98bc93fc59, dd77e27865284012a81d82ee41e67beeb55ed3a6, ddcc7ee1b80363e6ef39425ec1ecfdfe2b974bda, ded928c7e1deb61fc44881c2640df78b6868d180, df0b313d492fd29d564372e5c6ccef969648743b, dfa605703362bfd1744b6b5fc65142d3fbcca02f, e1947a7237a010111eeabafa176b6727bd8bbce3, e1af34c4485ded9301998729d596a0cab5699237, e28630b0ea4736eb690e1606ca3846c033773751, e42e8d74fd2a2538fa18adbfbe29ce8f2b874869, e53decc029a99ddba54d2f1bf5dc3c7ac5884cc6, e6ca88cc922e95ad6264d878803b1c478b7f097e, e6e6d9324226f2f1928966f57bc36122f43b6d38, e6f33673ff3d6682c07c7b6aafc4c3c976e4afd3, e770e5b7798fb6008ace7283ed41463e3e320ab0, e79ce589913bb8c5743bf0e55e075e2260c7a915, e7f61092ef3e53c94d95ff0f955010fa496ff449, eb65f10198f3c6fc3b0f3c01a490d73746c6fbcb, ec59f09fdc511de308dd4512a8672e338033ae98, ec86d92c0ca10fd9a8bccd774b0854a702d773e2, ec8fe3de24c7c1ab682ccc28fc298488bbe1303a, edfa946fa10a2a354a83f75e2959cea174ee5ca9, efa79590d78933687254c93544b2a8bb1c307bcb, efd0943e6f4bf9fa00dd25098a9b1256215281f4, f004252dc9fbf06b274d6309c3c7e5f9a66c9cac, f05473df5f5ad1c4aac100b14d15de60d37894ee, f08924d3bd6d584b7c5abe248780c8c254ca3721, f22d46be5ca7a5bb7572f2de8193c4e67d77aa2d, f2e37b34aa72019553f428823e51ebed199bf96d, f3ba5e18457871c3a925ace7e4e4669bfe5068cc, f445d745bfd193f84b4d0821608014e4a2f1c0a8, f5edd40ee873088f48b52fcb425d92ec9c9bb512, f82d2691d031d14f682bfcb62c8801b61c446259, fa31058453d5dd27863d1d828deaede2702c08ab, fab8dcb15b7fa5ca67b4b607361d55cb299fe2b1, fbef9ca0fe8de0605ea51467caba7d46d2972075, fd1fc59c504ca6da2e97e5be67c10f4ff44c5894, fd9a8835086c47961708650ccc627eef94b6eda7 |
| Victim Industries: | Cryptocurrency, Financial Services, Information Technology, Technology Hardware |
| Victim Countries: | Belgium, Bulgaria, Costa Rica, India, Italy, Netherlands, Pakistan, Romania, South Korea, United Arab Emirates, Vietnam |
Mitigation Advice
- Scan all developer workstations and CI/CD build environments for the presence of the malicious npm package “@validate-sdk/v2” and other related malicious packages mentioned in associated reporting, such as “@hash-validator/v2”.
- Add known C2 domains associated with the PromptMink campaign, such as 'ipfs-url-validator.vercel.app', to your network blocklists in your firewall, DNS sinkhole, and web proxy.
- Use your Endpoint Detection and Response (EDR) tool to hunt for the unauthorized creation of new SSH keys in user directories on developer workstations and servers.
- Configure and run EDR or SIEM queries to detect suspicious processes that are scanning for or accessing environment files (e.g., .env), cloud credential files (e.g., ~/.aws/credentials), or cryptocurrency wallet data.
Compliance Best Practices
- Implement a Software Composition Analysis (SCA) tool to scan all software dependencies for known vulnerabilities, malicious packages, and typosquatting attempts before they are used in development or production environments.
- Review and enforce the principle of least privilege for all developer accounts and service principals, ensuring they only have the minimum necessary permissions to access code repositories, cloud resources, and CI/CD pipelines.
- Develop and implement a recurring security awareness training program for the development team, focusing on identifying social engineering attacks that leverage fake job offers, suspicious code repositories, and unsolicited technical tasks.
- Establish a private or proxied package registry (e.g., for npm, PyPI) that caches and serves only approved, vetted open-source packages to developers, preventing direct downloads from public repositories.
- Implement a network egress filtering policy on firewalls that denies outbound traffic by default from developer environments and allows only necessary protocols and destinations required for business operations.
What Type of 'C2 on a Sleep Cycle' Do They Leave Behind? Novel Chinese Spy Group Found in Critical Networks in Poland, Asia
A novel China-linked threat group, tracked as Shadow-Earth-053, has infiltrated over a dozen critical networks in Poland and several Asian countries, including Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan, since December 2024. This group, along with a related entity, Shadow-Earth-054, primarily gains initial access by exploiting vulnerable Microsoft Exchange Servers, specifically the ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065), and in some cases, React2Shell (CVE-2025-55182) for Linux systems. After initial compromise, the attackers deploy web shells like Godzilla and the custom ShadowPad backdoor, sometimes delivering it via legitimate tools such as AnyDesk. To evade detection, they utilize tools like RingQ to pack malicious binaries, rename legitimate Windows system binaries, and use domain names impersonating products or security companies. Lateral movement is achieved using Windows Management Instrumentation Command-line (WMIC) and credential harvesting tools like Evil-CreateDump. The targeting of government agencies, defense contractors, technology firms, and transportation industries, particularly in a NATO country like Poland, suggests a strategic focus on espionage and the prepositioning of assets for potential long-term sabotage, echoing tactics observed in previous Chinese campaigns like Salt Typhoon and Volt Typhoon.
Severity: Critical
Threat Details and IOCs
| Malware: | ANGRYREBEL, Godzilla, NoodleRat, Nood RAT, POISONPLUG.SHADOW, ShadowPad, XShellGhost |
|---|---|
| CVEs: | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2025-55182 |
| Technologies: | AnyDesk, Microsoft Exchange Server, Microsoft Windows, React Server Components |
| Threat Actors: | APT17, APT23, APT41, CL-STA-0049, DaggerPanda, EarthAlux, EarthLusca, GhostEmperor, REF7707, SaltTyphoon, ShadowEarth054, TontoTeam, VoltTyphoon, Webworm, WetPanda |
| Attacker Countries: | China |
| Attacker IPs: | 141[.]164[.]46[.]77, 194[.]38[.]11[.]3, 209[.]141[.]40[.]254, 96[.]9[.]125[.]227 |
| Attacker Domains: | check[.]office365-update[.]com, zimbra-beta[.]info |
| Attacker Hashes: | 2e8f9fd8213d9f69044101cd029fd1797ec7afbcad40bb1f04eb93d881c04cd2, 4264cfb3980a068ab36d842c7ee0942f40aaf308f31ed48b41e140e59885f5c8, 8d9433e9734dd629d74abe41ff7024c84b3a28c45671df8f4baed344de733c78, d67197bf407e74ecd77be89d0da107d5f7d37c21bdf55456c6b57df65cf429b3 |
| Victim Industries: | Defense, Energy, Government, Technology Hardware, Telecommunications, Transportation |
| Victim Countries: | India, Malaysia, Myanmar, Pakistan, Poland, Sri Lanka, Taiwan, Thailand |
Mitigation Advice
- Immediately apply all available security updates for on-premises Microsoft Exchange Servers, prioritizing the patch chain for ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).
- Identify all servers using vulnerable React Server Components and apply the security patch for the React2Shell vulnerability (CVE-2025-55182).
- Scan the file systems of all public-facing web servers, especially Microsoft Exchange, for known web shells like Godzilla and for any recently created or modified script files (e.g., .aspx, .php).
- Query SIEM and endpoint logs for suspicious use of the Windows Management Instrumentation Command-line (wmic.exe), particularly for remote process execution or service creation originating from internet-facing servers.
- Conduct an immediate audit of all remote access software, such as AnyDesk, to identify unauthorized installations and review logs from authorized instances for connections to or from unusual IP addresses.
Compliance Best Practices
- Implement a comprehensive vulnerability management program that includes automated asset discovery, risk-based prioritization, and enforceable service-level agreements (SLAs) for patching all software, especially on internet-facing systems.
- Design and implement a network segmentation strategy to isolate critical infrastructure, like email and database servers, into secured zones with strict access controls, preventing direct communication from user workstations.
- Continuously tune Endpoint Detection and Response (EDR) rules to detect behavioral anomalies, such as legitimate Windows processes (e.g., wmic.exe, powershell.exe) running from non-standard directories or being initiated by unusual parent processes.
- Enforce the principle of least privilege by implementing a tiered administrative access model where administrator accounts for servers and domain controllers are separate from standard user accounts and cannot be used for daily tasks like email or web browsing.
- Develop a business case and migration plan to move from on-premises Microsoft Exchange to a managed cloud email platform to reduce the organization's attack surface and security management overhead.
