CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

VPS Infrastructure Abused for Stealthy SaaS Account Compromises

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

Threat actors are exploiting commercial virtual private server (VPS) infrastructure to quickly and discreetly set up attack infrastructure. This tactic has been observed in coordinated SaaS account compromises across multiple customer environments. VPSs are favored due to their low cost, rapid deployment, and minimal open-source intelligence footprints. The abuse of VPS infrastructure has increased in SaaS-targeted campaigns, enabling attackers to bypass geolocation-based defenses and evade IP reputation checks. The SystemBC proxy botnet operators maintain an average of 1,500 bots daily, exploiting vulnerable commercial VPS infrastructure. This network has been active since at least 2019 and is used by various threat actors, including ransomware gangs, to deliver payloads. The use of VPS infrastructure allows attackers to mimic local traffic, blend into legitimate behavior, and rapidly deploy attack infrastructure, making detection and tracking more challenging. The SystemBC network is built for volume with little concern for stealth, and it powers other criminal proxy networks. It has over 80 command-and-control (C2) servers and fuels other proxy network services, including REM Proxy and a Vietnamese-based proxy network called VN5Socks or Shopsocks5. Nearly 80% of the SystemBC network consists of compromised VPS systems from multiple large commercial providers, with infected VPS systems having multiple easy-to-exploit vulnerabilities, with an average of 20 unpatched security issues and at least one critical-severity vulnerability. REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online. The SystemBC botnet comprises over 80 C2 servers and a daily average of 1,500 victims, of which nearly 80% are compromised virtual private server (VPS) systems from several large commercial providers. Close to 40% of the compromises have "extremely long average" infection lifespans, lasting over 31 days. The vast majority of the victimized servers have been found to be susceptible to several known security flaws. Each victim has 20 unpatched CVEs and at least one critical CVE on average, with one of the identified VPS servers in the U.S. city of Atlanta vulnerable to more than 160 unpatched CVEs. The IP address 104.250.164[.]214 hosts the artifacts and appears to be the source of attacks to recruit potential victims. SystemBC is used to brute-force WordPress site credentials, which are likely sold to brokers for malicious code injection. SystemBC has exhibited sustained activity and operational resilience across multiple years, establishing itself as a persistent vector within the cyber threat landscape. SystemBC has been linked to more than 10,000 infected IP addresses worldwide, including systems associated with sensitive government infrastructure. The malware, also known as Coroxy or DroxiDat, turns compromised systems into SOCKS5 relays, allowing threat actors to route malicious traffic through victim machines. Infections have been observed deploying additional malware, expanding the scope of compromise. Silent Push analysts developed a SystemBC-specific tracking fingerprint to identify infections and supporting infrastructure at scale. The infections were globally distributed, with the highest concentration in the US, followed by Germany, France, Singapore, and India. Many affected systems were hosted within data center environments, helping infections persist for weeks or months. A previously undocumented SystemBC variant written in Perl was discovered, targeting Linux systems with no detections across 62 antivirus engines. SystemBC C2 infrastructure frequently relies on abuse-tolerant, bulletproof hosting providers, including BTHoster and AS213790 (BTCloud). Over 10,340 victim IP addresses were identified within a single hosting cluster, with infections lasting an average of 38 days and some persisting for more than 100 days. Compromised IP addresses used to host official government websites in Burkina Faso and Vietnam were found within the dataset. SystemBC activity often appears early in intrusion chains and frequently precedes ransomware deployment.

Timeline

  1. 18.09.2025 17:35 3 articles · 4mo ago

    SystemBC Proxy Botnet Exploits Vulnerable VPS Infrastructure

    The SystemBC proxy botnet operators maintain an average of 1,500 bots daily, exploiting vulnerable commercial VPS infrastructure. This network has been active since at least 2019 and is used by various threat actors, including ransomware gangs, to deliver payloads. The SystemBC network is built for volume with little concern for stealth, and it powers other criminal proxy networks. It has over 80 command-and-control (C2) servers and fuels other proxy network services, including REM Proxy and a Vietnamese-based proxy network called VN5Socks or Shopsocks5. Nearly 80% of the SystemBC network consists of compromised VPS systems from multiple large commercial providers, with infected VPS systems having multiple easy-to-exploit vulnerabilities, with an average of 20 unpatched security issues and at least one critical-severity vulnerability. REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online. The SystemBC botnet comprises over 80 C2 servers and a daily average of 1,500 victims, of which nearly 80% are compromised virtual private server (VPS) systems from several large commercial providers. Close to 40% of the compromises have "extremely long average" infection lifespans, lasting over 31 days. The vast majority of the victimized servers have been found to be susceptible to several known security flaws. Each victim has 20 unpatched CVEs and at least one critical CVE on average, with one of the identified VPS servers in the U.S. city of Atlanta vulnerable to more than 160 unpatched CVEs. The IP address 104.250.164[.]214 hosts the artifacts and appears to be the source of attacks to recruit potential victims. SystemBC is used to brute-force WordPress site credentials, which are likely sold to brokers for malicious code injection. SystemBC has exhibited sustained activity and operational resilience across multiple years, establishing itself as a persistent vector within the cyber threat landscape. SystemBC has been linked to more than 10,000 infected IP addresses worldwide, including systems associated with sensitive government infrastructure. The malware, also known as Coroxy or DroxiDat, turns compromised systems into SOCKS5 relays, allowing threat actors to route malicious traffic through victim machines. Infections have been observed deploying additional malware, expanding the scope of compromise. Silent Push analysts developed a SystemBC-specific tracking fingerprint to identify infections and supporting infrastructure at scale. The infections were globally distributed, with the highest concentration in the US, followed by Germany, France, Singapore, and India. Many affected systems were hosted within data center environments, helping infections persist for weeks or months. A previously undocumented SystemBC variant written in Perl was discovered, targeting Linux systems with no detections across 62 antivirus engines. SystemBC C2 infrastructure frequently relies on abuse-tolerant, bulletproof hosting providers, including BTHoster and AS213790 (BTCloud). Over 10,340 victim IP addresses were identified within a single hosting cluster, with infections lasting an average of 38 days and some persisting for more than 100 days. Compromised IP addresses used to host official government websites in Burkina Faso and Vietnam were found within the dataset. SystemBC activity often appears early in intrusion chains and frequently precedes ransomware deployment.

    Show sources
    Open in new tab
  2. 21.08.2025 20:42 4 articles · 5mo ago

    VPS Infrastructure Abused for Stealthy SaaS Account Compromises

    The SystemBC proxy botnet operators maintain an average of 1,500 bots daily, exploiting vulnerable commercial VPS infrastructure. This network has been active since at least 2019 and is used by various threat actors, including ransomware gangs, to deliver payloads. The SystemBC network is built for volume with little concern for stealth, and it powers other criminal proxy networks. It has over 80 command-and-control (C2) servers and fuels other proxy network services, including REM Proxy and a Vietnamese-based proxy network called VN5Socks or Shopsocks5. Nearly 80% of the SystemBC network consists of compromised VPS systems from multiple large commercial providers, with infected VPS systems having multiple easy-to-exploit vulnerabilities, with an average of 20 unpatched security issues and at least one critical-severity vulnerability. REM Proxy is a sizeable network, which also markets a pool of 20,000 Mikrotik routers and a variety of open proxies it finds freely available online. The SystemBC botnet comprises over 80 C2 servers and a daily average of 1,500 victims, of which nearly 80% are compromised virtual private server (VPS) systems from several large commercial providers. Close to 40% of the compromises have "extremely long average" infection lifespans, lasting over 31 days. The vast majority of the victimized servers have been found to be susceptible to several known security flaws. Each victim has 20 unpatched CVEs and at least one critical CVE on average, with one of the identified VPS servers in the U.S. city of Atlanta vulnerable to more than 160 unpatched CVEs. The IP address 104.250.164[.]214 hosts the artifacts and appears to be the source of attacks to recruit potential victims. SystemBC is used to brute-force WordPress site credentials, which are likely sold to brokers for malicious code injection. SystemBC has exhibited sustained activity and operational resilience across multiple years, establishing itself as a persistent vector within the cyber threat landscape. SystemBC has been linked to more than 10,000 infected IP addresses worldwide, including systems associated with sensitive government infrastructure. The malware, also known as Coroxy or DroxiDat, turns compromised systems into SOCKS5 relays, allowing threat actors to route malicious traffic through victim machines. Infections have been observed deploying additional malware, expanding the scope of compromise. Silent Push analysts developed a SystemBC-specific tracking fingerprint to identify infections and supporting infrastructure at scale. The infections were globally distributed, with the highest concentration in the US, followed by Germany, France, Singapore, and India. Many affected systems were hosted within data center environments, helping infections persist for weeks or months. A previously undocumented SystemBC variant written in Perl was discovered, targeting Linux systems with no detections across 62 antivirus engines. SystemBC C2 infrastructure frequently relies on abuse-tolerant, bulletproof hosting providers, including BTHoster and AS213790 (BTCloud). Over 10,340 victim IP addresses were identified within a single hosting cluster, with infections lasting an average of 38 days and some persisting for more than 100 days. Compromised IP addresses used to host official government websites in Burkina Faso and Vietnam were found within the dataset. SystemBC activity often appears early in intrusion chains and frequently precedes ransomware deployment.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

PDFSIDER Malware Facilitates Long-Term, Covert System Access

Researchers have identified a new malware strain, PDFSIDER, designed for long-term, covert access to compromised systems. Delivered via DLL side-loading, it installs an encrypted backdoor and evades endpoint detection mechanisms. The malware exhibits advanced capabilities, including stealthy execution, secure communications, and anti-analysis checks, aligning it with APT operations. The infection chain begins with spear-phishing emails containing a ZIP archive with a legitimate, digitally signed executable that impersonates PDF creation software. Once active, PDFSIDER initializes networking components, gathers host details, and establishes an encrypted command-and-control (C2) channel using AES-256-GCM encryption. The malware includes anti-VM checks to detect analysis environments and exits early if thresholds are not met. It also employs DNS traffic on port 53 for data exfiltration to a leased VPS infrastructure. Resecurity assessed PDFSIDER as a targeted tradecraft rather than a mass-delivered threat, with most artifacts evading popular AV and EDR products. PDFSIDER has been deployed in Qilin ransomware attacks and is actively used by multiple ransomware actors. The malware loads into memory, leaving minimal disk artifacts, and uses anonymous pipes to launch commands via CMD. Infected hosts are assigned a unique identifier, and system information is exfiltrated to the attacker’s VPS server over DNS (port 53). The malware uses the Botan 3.0.0 cryptographic library and AES-256-GCM for encryption, decrypting incoming data in memory to minimize its footprint on the host.

Open in new tab

CISA Releases Guide to Mitigate Bulletproof Hosting Threats

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with U.S. and international partners, has released a guide titled 'Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers.' This guide provides internet service providers (ISPs) and network defenders with an overview of bulletproof hosting (BPH) cybercriminal activities and key steps to safeguard their networks. The guide emphasizes the growing use of BPH infrastructure by cybercriminals to conduct ransomware attacks, data extortion, and denial of service (DoS) attacks. The guide recommends implementing traffic analysis, maintaining lists of malicious internet resources, and establishing filters to mitigate BPH risks. CISA encourages ISPs and organizations to adopt these measures to reduce the effectiveness of BPH infrastructure and enhance network security. The guide also highlights the role of BPH providers in leasing or reselling infrastructure to malicious actors, enabling them to obfuscate operations and avoid detection. Key recommendations include curating a 'high confidence' list of malicious internet resources, conducting continuous traffic analysis, implementing automated reviews of blocklists, sharing threat intelligence, deploying filters at the network edge, and establishing feedback processes to reduce accidental blocking.

Open in new tab

HttpTroy Backdoor Deployed in Targeted South Korean Cyberattack

The North Korea-linked threat actor Kimsuky has been linked to a new campaign distributing a new variant of Android malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics. The attack involved a ZIP file containing a Microsoft Windows screensaver (.scr) file, which displayed a PDF invoice written in Korean and loaded the attack chain until the backdoor program was running. The article also highlights the advanced obfuscation techniques used by HttpTroy to evade detection and the broader campaign by North Korean state-sponsored groups targeting various sectors. The attack is part of a broader campaign by North Korean state-sponsored groups targeting governments in the Asia-Pacific region, especially South Korea, as well as targets in the United States and Europe. Kimsuky has previously used password-protected ZIP files and AI-generated deepfake photos in their attacks. The groups use legitimate services and Windows processes to dodge security tools and different encryption methods for each step in a multistage infection chain. They also use techniques such as memory-resident execution and dynamic API resolution to help the malicious code avoid detection. Additionally, Kimsuky is targeting organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S. The group is using QR codes in phishing campaigns, a technique known as 'quishing,' to redirect victims to malicious locations disguised as questionnaires, secure drives, or fake login pages. The FBI has warned about Kimsuky's use of malicious QR codes in spear-phishing campaigns targeting entities in the U.S., highlighting the group's history of subverting email authentication protocols and exploiting improperly configured DMARC record policies. Cybersecurity researchers have uncovered a new phishing campaign that exploits social media private messages to propagate malicious payloads, likely with the intent to deploy a remote access trojan (RAT). The activity delivers "weaponized files via Dynamic Link Library (DLL) sideloading, combined with a legitimate, open-source Python pen-testing script." The attack involves approaching high-value individuals through messages sent on LinkedIn, establishing trust, and deceiving them into downloading a malicious WinRAR self-extracting archive (SFX). Once launched, the archive extracts four different components: a legitimate open-source PDF reader application, a malicious DLL that's sideloaded by the PDF reader, a portable executable (PE) of the Python interpreter, and a RAR file that likely serves as a decoy. The infection chain gets activated when the PDF reader application is run, causing the rogue DLL to be sideloaded. The use of DLL side-loading has become an increasingly common technique adopted by threat actors to evade detection and conceal signs of malicious activity by taking advantage of legitimate processes. Over the past week, at least three documented campaigns have leveraged DLL side-loading to deliver malware families tracked as LOTUSLITE and PDFSIDER, along with other commodity trojans and information stealers. In the campaign observed by ReliaQuest, the sideloaded DLL is used to drop the Python interpreter onto the system and create a Windows Registry Run key that makes sure that the Python interpreter is automatically executed upon every login. The interpreter's primary responsibility is to execute a Base64-encoded open-source shellcode that's directly executed in memory to avoid leaving forensic artifacts on disk. The final payload attempts to communicate with an external server, granting the attackers persistent remote access to the compromised host and exfiltrating data of interest. The abuse of legitimate open-source tools, coupled with the use of phishing messages sent on social media platforms, shows that phishing attacks are not confined to emails alone and that alternative delivery methods can exploit security gaps to increase the odds of success and break into corporate environments. ReliaQuest told The Hacker News that the campaign appears to be broad and opportunistic, with activity spanning various sectors and regions. "That said, because this activity plays out in direct messages, and social media platforms are typically less monitored than email, it's difficult to quantify the full scale," it added. "This approach allows attackers to bypass detection and scale their operations with minimal effort while maintaining persistent control over compromised systems," the cybersecurity company said. "Once inside, they can escalate privileges, move laterally across networks, and exfiltrate data." This is not the first time LinkedIn has been misused for targeted attacks. In recent years, multiple North Korean threat actors, including those linked to the CryptoCore and Contagious Interview campaigns, have singled out victims by contacting them on LinkedIn under the pretext of a job opportunity and convincing them to run a malicious project as part of a supposed assessment or code review. In March 2025, Cofense also detailed a LinkedIn-themed phishing campaign that employs lures related to LinkedIn InMail notifications to get recipients to click on a "Read More" or "Reply To" button and download the remote desktop software developed by ConnectWise for gaining complete control over victim hosts. "Social media platforms commonly used by businesses represent a gap in most organizations' security posture," ReliaQuest said. "Unlike email, where organizations tend to have security monitoring tools, social media private messages lack visibility and security controls, making them an attractive delivery channel for phishing campaigns." "Organizations must recognize social media as a critical attack surface for initial access and extend their defenses beyond email-centric controls."

Open in new tab

Increased Scanning Activity on Palo Alto Networks Login Portals

A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. An automated campaign targeting multiple VPN platforms, including Palo Alto Networks GlobalProtect and Cisco SSL VPN, was observed starting on December 11, 2025. The number of login attempts aimed at GlobalProtect portals peaked at 1.7 million during a 16-hour period. The attacks originated from more than 10,000 unique IP addresses, primarily from the 3xK GmbH (Germany) IP space, and targeted infrastructure in the United States, Mexico, and Pakistan. The threat actor reused common username and password combinations, with most requests using an uncommon Firefox user agent for automated login activity. The activity reflects scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals. On December 12, 2025, activity from the same hosting provider using the same TCP fingerprint started probing Cisco SSL VPN endpoints, with unique attack IPs jumping to 1,273 from a normal baseline of less than 200. The login payloads followed normal SSL VPN authentication flows, indicating automated credential attacks rather than exploits. Palo Alto Networks confirmed the activity and recommended using strong passwords and multi-factor authentication protection.

Open in new tab

Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations

The BRICKSTORM malware, attributed to PRC state-sponsored actors, has been used for long-term espionage against U.S. organizations, particularly in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. CISA, NSA, and Cyber Centre issued a joint report on BRICKSTORM, providing IOCs, detection signatures, and recommended mitigations. The report highlights BRICKSTORM's advanced functionality to conceal communications, move laterally, and tunnel into victim networks. The malware automatically reinstalls or restarts if disrupted, and PRC actors are primarily targeting government and IT sector organizations. CISA analyzed eight BRICKSTORM samples from victim organizations and urges organizations to contact CISA if they detect BRICKSTORM or related activity. CISA warns that Chinese hackers have been backdooring VMware vSphere servers with Brickstorm malware, using multiple layers of encryption and a self-monitoring function to maintain persistence. The attackers compromised a web server in an organization's DMZ in April 2024, moved laterally to an internal VMware vCenter server, and deployed malware. They also hacked two domain controllers and exported cryptographic keys after compromising an ADFS server, maintaining access from at least April 2024 through September 2025. The attackers captured Active Directory database information and performed system backups to steal legitimate credentials and other sensitive data. CrowdStrike linked these attacks to a Chinese hacking group it tracks as Warp Panda, which also deployed previously unknown Junction and GuestConduit malware implants in VMware ESXi environments. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday released details of a backdoor named BRICKSTORM that has been put to use by state-sponsored threat actors from the People's Republic of China (PRC) to maintain long-term persistence on compromised systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere and Windows environments, enabling cyber threat actors to maintain stealthy access and providing capabilities for initiation, persistence, and secure command-and-control. Written in Golang, the custom implant gives bad actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. The malware, mainly used in attacks targeting governments and information technology (IT) sectors, also supports multiple protocols, such as HTTPS, WebSockets, and nested Transport Layer Security (TLS), for command-and-control (C2), DNS-over-HTTPS (DoH) to conceal communications and blend in with normal traffic, and can act as a SOCKS proxy to facilitate lateral movement. The cybersecurity agency did not disclose how many government agencies have been impacted or what type of data was stolen. The activity represents an ongoing tactical evolution of Chinese hacking groups, which have continued to strike edge network devices to breach networks and cloud infrastructures. In a statement shared with Reuters, a spokesperson for the Chinese embassy in Washington rejected the accusations, stating the Chinese government does not "encourage, support or connive at cyber attacks.". BRICKSTORM was first documented by Google Mandiant in 2024 in attacks linked to the zero-day exploitation of Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887). The use of the malware has been attributed to two clusters tracked as UNC5221 and a new China-nexus adversary tracked by CrowdStrike as Warp Panda. Earlier this September, Mandiant and Google Threat Intelligence Group (GTIG) said they observed legal services, software-as-a-service (SaaS) providers, Business Process Outsourcers (BPOs), and technology sectors in the U.S. being targeted by UNC5221 and other closely related threat activity clusters to deliver the malware. A key feature of the malware, per CISA, is its ability to automatically reinstall or restart itself by means of a self-monitoring function that allows its continued operation in the face of any potential disruption. In one case detected in April 2024, the threat actors are said to have accessed a web server inside an organization's demilitarized zone (DMZ) using a web shell, before moving laterally to an internal VMware vCenter server and implanting BRICKSTORM. However, many details remain unknown, including the initial access vector used in the attack and when the web shell was deployed. The attackers have also been found to leverage the access to obtain service account credentials and laterally move to a domain controller in the DMZ using Remote Desktop Protocol (RDP) so as to capture Active Directory information. Over the course of the intrusion, the threat actors managed to get the credentials for a managed service provider (MSP) account, which was then used to jump from the internal domain controller to the VMware vCenter server. CISA said the actors also moved laterally from the web server using Server Message Block (SMB) to two jump servers and an Active Directory Federation Services (ADFS) server, exfiltrating cryptographic keys from the latter. The access to vCenter ultimately enabled the adversary to deploy BRICKSTORM after elevating their privileges. CrowdStrike, in its analysis of Warp Panda, said it has detected multiple intrusions targeting VMware vCenter environments at U.S.-based legal, technology, and manufacturing entities this year that have led to the deployment of BRICKSTORM. The group is believed to have been active since at least 2022. Warp Panda exhibits a high level of technical sophistication, advanced operations security (OPSEC) skills, and extensive knowledge of cloud and virtual machine (VM) environments. Warp Panda demonstrates a high level of stealth and almost certainly focuses on maintaining persistent, long-term, covert access to compromised networks. Evidence shows the hacking group gained initial access to one entity in late 2023. Also deployed in the attacks alongside BRICKSTORM are two previously undocumented Golang implants, namely Junction and GuestConduit, on ESXi hosts and guest VMs, respectively. Junction acts as an HTTP server to listen for incoming requests and supports a wide range of capabilities to execute commands, proxy network traffic, and interact with guest VMs through VM sockets (VSOCK). GuestConduit, on the other hand, is a network traffic-tunneling implant that resides within a guest VM and establishes a VSOCK listener on port 5555. Its primary responsibility is to facilitate communication between guest VMs and hypervisors. Initial access methods involve the exploitation of internet-facing edge devices to pivot to vCenter environments, either using valid credentials or abusing vCenter vulnerabilities. Lateral movement is achieved by using SSH and the privileged vCenter management account "vpxuser." The hacking crew has also used the Secure File Transfer Protocol (SFTP) to move data between hosts. Some of the exploited vulnerabilities are listed below - CVE-2024-21887 (Ivanti Connect Secure), CVE-2023-46805 (Ivanti Connect Secure), CVE-2024-38812 (VMware vCenter), CVE-2023-34048 (VMware vCenter), CVE-2021-22005 (VMware vCenter), CVE-2023-46747 (F5 BIG-IP). The entire modus operandi revolves around maintaining stealth by clearing logs, timestomping files, and creating rogue VMs that are shut down after use. BRICKSTORM, masquerading as benign vCenter processes, is employed to tunnel traffic through vCenter servers, ESXi hosts, and guest VMs. Similar to details shared by CISA, CrowdStrike noted that the attackers used their access to vCenter servers to clone domain controller VMs, possibly in a bid to harvest the Active Directory Domain Services database. The threat actors have also been spotted accessing the email accounts of employees who work in areas that align with Chinese government interests. Warp Panda likely used their access to one of the compromised networks to engage in rudimentary reconnaissance against an Asia Pacific government entity. They also connected to various cybersecurity blogs and a Mandarin-language GitHub repository. Another significant aspect of Warp Panda's activities is their focus on establishing persistence in cloud environments and accessing sensitive data. Characterizing it as a "cloud-conscious adversary," CrowdStrike said the attackers exploited their access to entities' Microsoft Azure environments to access data stored in OneDrive, SharePoint, and Exchange. In at least one incident, the hackers managed to get hold of user session tokens, likely by exfiltrating user browser files and tunneled traffic through BRICKSTORM implants to access Microsoft 365 services via a session replay attack and download SharePoint files related to the organization's network engineering and incident response teams. The attackers have also engaged in additional ways to set up persistence, such as by registering a new multi-factor authentication (MFA) device through an Authenticator app code after initially logging into a user account. In another intrusion, the Microsoft Graph API was used to enumerate service principals, applications, users, directory roles, and emails. The adversary primarily targets entities in North America and consistently maintains persistent, covert access to compromised networks, likely to support intelligence-collection efforts aligned with PRC strategic interests. Chinese-speaking threat actors are suspected to have leveraged a compromised SonicWall VPN appliance as an initial access vector to deploy a VMware ESXi exploit that may have been developed as far back as February 2024. The exploit targeted three VMware vulnerabilities: CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226. The toolkit includes simplified Chinese strings, suggesting a Chinese-speaking developer. The exploit uses Host-Guest File System (HGFS) for information leaking and Virtual Machine Communication Interface (VMCI) for memory corruption. The toolkit involves multiple components, including 'exploit.exe' (MAESTRO), 'devcon.exe', and 'MyDriver.sys', which write three payloads into VMX's memory: Stage 1 shellcode, Stage 2 shellcode, and VSOCKpuppet. VSOCKpuppet is a 64-bit ELF backdoor that provides persistent remote access to the ESXi host. The threat actors use 'client.exe' (GetShell Plugin) to send commands to the compromised ESXi host. The GetShell Plugin supports file transfer and command execution features. The toolkit prioritizes stealth over persistence.

Open in new tab