CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

First reported
Last updated
5 unique sources, 6 articles

Summary

Hide ▲

Threat actors have exploited a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) to deliver WeepSteel malware. The flaw, tracked as CVE-2025-53690, affects versions prior to 9.0 and was exploited using a sample machine key from outdated deployment guides. The attack involved ViewState deserialization, internal reconnaissance, and the deployment of various open-source tools for persistence and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the vulnerability by September 25, 2025. The vulnerability has a CVSS score of 9.0, indicating critical severity. The China-linked threat group Ink Dragon has been observed turning misconfigured servers in European government networks into relay nodes to hide its cyber-espionage activity. Ink Dragon probes public-facing websites for weaknesses, including configuration issues in Microsoft's IIS web server and SharePoint. Once a foothold is established, the group moves quietly through the environment, collecting credentials and using Remote Desktop for lateral movement. Ink Dragon maps the environment in detail, controls policy settings, and deploys long-term access tools across high-value systems. The group uses compromised organizations to support operations elsewhere, deploying a customized IIS-based module to turn public-facing servers into relay points. Ink Dragon has updated its tooling, including a new version of the FinalDraft backdoor built for long-term access and to blend into Microsoft cloud activity. A second China-linked group, RudePanda, has entered some of the same European government networks and exploited the same exposed server vulnerability. Ink Dragon, also known as Jewelbug, has been targeting government entities and telecommunications organizations across Europe, Asia, and Africa since at least March 2023. The group uses a combination of solid software engineering, disciplined operational playbooks, and platform-native tools to blend into normal enterprise telemetry. Ink Dragon has impacted several dozen victims and has been using a backdoor called FINALDRAFT (aka Squidoor) that is capable of infecting both Windows and Linux systems. The group has also been attributed a five-month-long intrusion targeting a Russian IT service provider. Ink Dragon leverages vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons. Another notable backdoor in the threat actor's malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Ink Dragon has relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers. The threat actor has been found to weaponize ToolShell SharePoint flaws to drop web shells on compromised servers. Ink Dragon uses the IIS machine key to obtain a local administrative credential and leverage it for lateral movement over an RDP tunnel. The group creates scheduled tasks and installs services to establish persistence. Ink Dragon dumps LSASS dumps and extracts registry hives to achieve privilege escalation. The threat actor modifies host firewall rules to allow outbound traffic and transform the infected hosts into a ShadowPad relay network. Ink Dragon has introduced a new variant of FINALDRAFT malware with enhanced stealth and higher exfiltration throughput, along with advanced evasion techniques. FINALDRAFT implements a modular command framework in which operators push encoded command documents to the victim's mailbox, and the implant pulls, decrypts, and executes them. Evidence of a second threat actor known as REF3927 (aka RudePanda) has been detected on several of the same victim environments breached by Ink Dragon.

Timeline

  1. 17.12.2025 11:30 2 articles · 1d ago

    Ink Dragon Uses European Government Networks as Relay Nodes

    The China-linked threat group Ink Dragon, also known as Jewelbug, has been targeting government entities and telecommunications organizations across Europe, Asia, and Africa since at least March 2023. The group uses a combination of solid software engineering, disciplined operational playbooks, and platform-native tools to blend into normal enterprise telemetry. Ink Dragon has impacted several dozen victims and has been using a backdoor called FINALDRAFT (aka Squidoor) that is capable of infecting both Windows and Linux systems. The group has also been attributed a five-month-long intrusion targeting a Russian IT service provider. Ink Dragon leverages vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons. Another notable backdoor in the threat actor's malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Ink Dragon has relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers. The threat actor has been found to weaponize ToolShell SharePoint flaws to drop web shells on compromised servers. Ink Dragon uses the IIS machine key to obtain a local administrative credential and leverage it for lateral movement over an RDP tunnel. The group creates scheduled tasks and installs services to establish persistence. Ink Dragon dumps LSASS dumps and extracts registry hives to achieve privilege escalation. The threat actor modifies host firewall rules to allow outbound traffic and transform the infected hosts into a ShadowPad relay network. Ink Dragon has introduced a new variant of FINALDRAFT malware with enhanced stealth and higher exfiltration throughput, along with advanced evasion techniques. FINALDRAFT implements a modular command framework in which operators push encoded command documents to the victim's mailbox, and the implant pulls, decrypts, and executes them. Evidence of a second threat actor known as REF3927 (aka RudePanda) has been detected on several of the same victim environments breached by Ink Dragon.

    Show sources
    Open in new tab
  2. 04.09.2025 11:46 4 articles · 3mo ago

    WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the Sitecore vulnerability by September 25, 2025. The vulnerability, CVE-2025-53690, has a CVSS score of 9.0, indicating critical severity. The attack chain documented by Mandiant involves the deployment of a combination of open-source and custom tools for reconnaissance, remote access, and Active Directory reconnaissance. The malware WEEPSTEEL borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py. The attackers have been observed using additional tools such as SharpHound and GoTokenTheft for various malicious activities. Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab

Airstalk Malware Linked to Supply Chain Attack

A new malware called Airstalk has been identified in a suspected supply chain attack. The malware exploits the AirWatch API for mobile device management (MDM) to establish a covert command-and-control (C2) channel. It is distributed by a nation-state threat actor tracked as CL-STA-1009. Airstalk can capture screenshots, harvest browser data, and exfiltrate files. The malware is available in PowerShell and .NET variants, with the latter being more advanced. The attack may target the business process outsourcing (BPO) sector. Airstalk uses a multi-threaded C2 communication protocol and supports various actions, including taking screenshots, harvesting browser data, and uninstalling itself. The .NET variant targets additional browsers and includes more sophisticated features. The malware's distribution method and specific targets remain unknown, but the use of MDM-related APIs suggests a supply chain attack.

Open in new tab

PhantomRaven npm credential harvesting campaign leverages invisible dependencies

An ongoing npm credential harvesting campaign dubbed PhantomRaven has been active since August 2025. The malware steals npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. At least 126 npm packages have been infected, resulting in over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code in externally hosted packages, evading npm security scans. The campaign exploits AI hallucinations to create plausible-sounding package names, a technique known as slopsquatting. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub.

Open in new tab

Memento Labs linked to Chrome zero-day exploitation in Operation ForumTroll

Operation ForumTroll, discovered in March 2025, targeted Russian organizations and individuals using a zero-day vulnerability in Google Chrome (CVE-2025-2783). The campaign, also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE, delivered malware linked to the Italian spyware vendor Memento Labs. The attacks used phishing emails with malicious links to infect victims, targeting media outlets, universities, research centers, government organizations, financial institutions, and other organizations in Russia and Belarus. The malware, identified as LeetAgent and Dante, was used to steal data and maintain persistence on compromised systems. Memento Labs, formed after InTheCyber Group acquired Hacking Team, presented its Dante spyware at a conference in 2023. The malware was used in attacks dating back to at least 2022. The attacks involved sophisticated techniques to ensure only targeted victims were compromised. The zero-day vulnerability (CVE-2025-2783) was discovered and reported to Google by researchers at Kaspersky Lab earlier in 2025. The exploit bypassed Chrome's sandbox protections by exploiting a logic vulnerability in Chrome caused by an obscure quirk in the Windows OS. The exploit used pseudo handles to disable sandbox functionality, allowing unauthorized access to privileged processes. The exploit represents a new class of vulnerabilities that could affect other applications and Windows services. The group known as Mem3nt0 mori, also referred to as ForumTroll APT, is linked to Operation ForumTroll. The attacks began in March 2025 with highly personalized phishing emails inviting victims to the Primakov Readings forum. The flaw in Chrome stemmed from a logical oversight in Windows' handling of pseudo handles, allowing attackers to execute code in Chrome's browser process. Google patched the issue in version 134.0.6998.177/.178. Firefox developers found a related issue in their browser, addressed as CVE-2025-2857. Kaspersky's researchers concluded that Mem3nt0 mori leveraged Dante-based components in the ForumTroll campaign, marking the first observed use of this commercial spyware in the wild. The discovery underscores ongoing risks from state-aligned and commercial surveillance vendors. Kaspersky urged security researchers to examine other software and Windows services for similar pseudo-handle vulnerabilities. In a new wave of attacks detected in October 2025, the threat actor targeted individuals in Russia, specifically scholars in political science, international relations, and global economics, working at major Russian universities and research institutions. The latest attack wave used emails claiming to be from eLibrary, a Russian scientific electronic library, with messages sent from the address 'support@e-library[.]wiki'. The domain was registered in March 2025, six months before the start of the campaign, indicating preparations for the attack had been underway for some time. The emails contained links to a malicious site to download a plagiarism report, which, when clicked, downloaded a ZIP archive named with the victim's last name, first name, and patronymic. The links were designed for one-time use, displaying a Russian language message stating 'Download failed, please try again later' if accessed more than once. The archive contained a Windows shortcut (LNK) that, when executed, ran a PowerShell script to download and launch a PowerShell-based payload from a remote server. The payload contacted a URL to fetch a final-stage DLL and persist it using COM hijacking, also downloading and displaying a decoy PDF to the victim. The final payload was a command-and-control (C2) and red teaming framework known as Tuoni, enabling remote access to the victim's Windows device. ForumTroll has been targeting organizations and individuals in Russia and Belarus since at least 2022.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced with a third wave, adding 24 new packages to OpenVSX and Microsoft Visual Studio Marketplace. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The third wave of Glassworm uses Rust-based implants packaged inside the extensions and targets popular tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space.

Open in new tab