CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

First reported
Last updated
5 unique sources, 8 articles

Summary

Hide ▲

Threat actors have exploited a zero-day vulnerability in Sitecore Experience Manager (XM) and Experience Platform (XP) to deliver WeepSteel malware. The flaw, tracked as CVE-2025-53690, affects versions prior to 9.0 and was exploited using a sample machine key from outdated deployment guides. The attack involved ViewState deserialization, internal reconnaissance, and the deployment of various open-source tools for persistence and lateral movement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the vulnerability by September 25, 2025. The vulnerability has a CVSS score of 9.0, indicating critical severity. The China-linked threat group Ink Dragon has been observed turning misconfigured servers in European government networks into relay nodes to hide its cyber-espionage activity. Ink Dragon probes public-facing websites for weaknesses, including configuration issues in Microsoft's IIS web server and SharePoint. Once a foothold is established, the group moves quietly through the environment, collecting credentials and using Remote Desktop for lateral movement. Ink Dragon maps the environment in detail, controls policy settings, and deploys long-term access tools across high-value systems. The group uses compromised organizations to support operations elsewhere, deploying a customized IIS-based module to turn public-facing servers into relay points. Ink Dragon has updated its tooling, including a new version of the FinalDraft backdoor built for long-term access and to blend into Microsoft cloud activity. A second China-linked group, RudePanda, has entered some of the same European government networks and exploited the same exposed server vulnerability. A threat actor likely aligned with China, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least last year. UAT-8837 is primarily tasked with obtaining initial access to high-value organizations. The group deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information. UAT-8837 exploits a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access. The group disables RestrictedAdmin for Remote Desktop Protocol (RDP) to ensure credentials and other user resources aren't exposed to compromised remote hosts. UAT-8837 downloads several artifacts including GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy to enable post-exploitation. The group exfiltrated DLL-based shared libraries related to the victim's products, raising the possibility of future trojanization and supply chain compromises.

Timeline

  1. 17.12.2025 11:30 3 articles · 1mo ago

    Ink Dragon Uses European Government Networks as Relay Nodes

    The China-linked threat group Ink Dragon, also known as Jewelbug, has been targeting government entities and telecommunications organizations across Europe, Asia, and Africa since at least March 2023. The group uses a combination of solid software engineering, disciplined operational playbooks, and platform-native tools to blend into normal enterprise telemetry. Ink Dragon has impacted several dozen victims and has been using a backdoor called FINALDRAFT (aka Squidoor) that is capable of infecting both Windows and Linux systems. The group has also been attributed a five-month-long intrusion targeting a Russian IT service provider. Ink Dragon leverages vulnerable services in internet-exposed web applications to drop web shells, which are then used to deliver additional payloads like VARGEIT and Cobalt Strike beacons. Another notable backdoor in the threat actor's malware arsenal is NANOREMOTE, which uses the Google Drive API for uploading and downloading files between the C2 server and the compromised endpoint. Ink Dragon has relied on predictable or mismanaged ASP.NET machine key values to carry out ViewState deserialization attacks against vulnerable IIS and SharePoint servers. The threat actor has been found to weaponize ToolShell SharePoint flaws to drop web shells on compromised servers. Ink Dragon uses the IIS machine key to obtain a local administrative credential and leverage it for lateral movement over an RDP tunnel. The group creates scheduled tasks and installs services to establish persistence. Ink Dragon dumps LSASS dumps and extracts registry hives to achieve privilege escalation. The threat actor modifies host firewall rules to allow outbound traffic and transform the infected hosts into a ShadowPad relay network. Ink Dragon has introduced a new variant of FINALDRAFT malware with enhanced stealth and higher exfiltration throughput, along with advanced evasion techniques. FINALDRAFT implements a modular command framework in which operators push encoded command documents to the victim's mailbox, and the implant pulls, decrypts, and executes them. Evidence of a second threat actor known as REF3927 (aka RudePanda) has been detected on several of the same victim environments breached by Ink Dragon.

    Show sources
    Open in new tab
  2. 04.09.2025 11:46 6 articles · 4mo ago

    WeepSteel Malware Deployed via Sitecore Zero-Day Exploit

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to patch the Sitecore vulnerability by September 25, 2025. The vulnerability, CVE-2025-53690, has a CVSS score of 9.0, indicating critical severity. The attack chain documented by Mandiant involves the deployment of a combination of open-source and custom tools for reconnaissance, remote access, and Active Directory reconnaissance. The malware WEEPSTEEL borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py. The attackers have been observed using additional tools such as SharpHound and GoTokenTheft for various malicious activities. Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. A threat actor likely aligned with China, tracked as UAT-8837, has been targeting critical infrastructure sectors in North America since at least last year. UAT-8837 is primarily tasked with obtaining initial access to high-value organizations. The group deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information. UAT-8837 exploits a critical zero-day vulnerability in Sitecore (CVE-2025-53690, CVSS score: 9.0) to obtain initial access. The group disables RestrictedAdmin for Remote Desktop Protocol (RDP) to ensure credentials and other user resources aren't exposed to compromised remote hosts. UAT-8837 downloads several artifacts including GoTokenTheft, EarthWorm, DWAgent, SharpHound, Impacket, GoExec, Rubeus, and Certipy to enable post-exploitation. The group exfiltrated DLL-based shared libraries related to the victim's products, raising the possibility of future trojanization and supply chain compromises. UAT-8837 has been active since at least 2025 and is primarily focused on obtaining initial access to critical infrastructure systems in North America. UAT-8837 leverages compromised credentials or exploits server vulnerabilities to gain initial access. UAT-8837 uses Windows native commands for host and network reconnaissance and disables RDP RestrictedAdmin to facilitate credential harvesting. UAT-8837 uses a variety of open-source and living-off-the-land utilities, including GoTokenTheft, Rubeus, Certipy, SharpHound, Impacket, Invoke-WMIExec, GoExec, SharpWMI, Earthworm, and DWAgent. UAT-8837 targets credentials, AD topology and trust relationships, and security policies and configurations. UAT-8837 has exfiltrated a DLL from a product used by the victim, which could be used for future trojanization and supply-chain attacks.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Reprompt Attack Exploits Microsoft Copilot Session Hijacking

Researchers discovered the Reprompt attack, which allows hackers to hijack Microsoft Copilot sessions by embedding malicious prompts in URLs. This attack bypasses Copilot's protections, enabling data exfiltration without user interaction beyond an initial click. The attack leverages three techniques: Parameter-to-Prompt (P2P) injection, double-request, and chain-request methods. The attack starts with the exploitation of the 'q' parameter, which is used on AI platforms to deliver a user's query or prompt via a URL. The attack resulted in one-click compromise and persisted after the chat was closed. Microsoft addressed the issue in January 2026's Patch Tuesday update, and the attack does not affect enterprise customers using Microsoft 365 Copilot. The Reprompt attack can exfiltrate sensitive data from AI chatbots like Microsoft Copilot in a single click, maintaining control even when the Copilot chat is closed. The attack uses the 'q' URL parameter in Copilot to inject a crafted instruction directly from a URL, instructs Copilot to bypass guardrails by repeating each action twice, and triggers an ongoing chain of requests through the initial prompt for continuous data exfiltration. The attack can exfiltrate data such as user-accessed files, location, and vacation plans, turning Copilot into an invisible channel for data exfiltration without requiring any user input prompts, plugins, or connectors. The root cause of Reprompt is the AI system's inability to delineate between instructions directly entered by a user and those sent in a request. The server can request information based on earlier responses, probing for even more sensitive details, with the real instructions hidden in the server's follow-up requests.

Open in new tab

VoidLink Malware Framework Targets Cloud and Container Environments

A new advanced Linux malware framework, codenamed VoidLink, has been discovered targeting cloud and container environments. Developed by China-affiliated threat actors, VoidLink is a highly modular and flexible framework designed for long-term, stealthy access to Linux-based systems. It includes custom loaders, implants, rootkits, and over 30 plugins, enabling operators to adapt its capabilities over time. The malware is engineered to detect major cloud environments and adapt its behavior when running within Docker containers or Kubernetes pods. It also gathers credentials associated with cloud environments and source code version control systems like Git. VoidLink's capabilities include anti-forensics, reconnaissance, credential harvesting, lateral movement, and persistence, making it a full-fledged post-exploitation framework. The framework is written primarily in the Zig programming language and includes plans to extend its detection capabilities to additional cloud environments such as Huawei, DigitalOcean, and Vultr. VoidLink's documentation suggests it is intended for commercial purposes, and its development environment includes debug symbols and other development artifacts, indicating in-progress builds. VoidLink uses a custom encrypted messaging layer called 'VoidStream' to camouflage traffic and includes 35 plugins in the default configuration. The framework employs rootkit modules to hide processes, files, network sockets, or the rootkit itself, and includes advanced anti-analysis mechanisms to detect debuggers, perform runtime code encryption, and integrity checks. VoidLink's anti-forensic modules erase logs, shell history, login records, and securely overwrite all files dropped on the host, minimizing exposure to forensic investigations.

Open in new tab

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

China-nexus threat actor UAT-7290 has been targeting telecommunications providers in South Asia and Southeastern Europe since at least 2022. The group conducts extensive reconnaissance before deploying malware families like RushDrop, DriveSwitch, SilentRaid, and Bulbature. UAT-7290 also establishes Operational Relay Box (ORB) nodes, which other China-nexus actors may use, indicating a dual role in espionage and initial access provision. The group uses a mix of open-source malware, custom tooling, and 1-day vulnerabilities in edge networking products. Recent activity shows overlaps with RedLeaves, ShadowPad, and RedFoxtrot, suggesting a broader China-linked operation.

Open in new tab

Exploitation of Network Security Flaws by APT Actors

Multiple network security products, including those from Fortinet, SonicWall, Cisco, and WatchGuard, have been targeted by threat actors exploiting critical vulnerabilities. Cisco's AsyncOS flaw (CVE-2025-20393) is being exploited by a China-nexus APT group, UAT-9686, to deliver malware such as ReverseSSH and AquaPurge. SonicWall's SMA 100 series appliances are also being targeted through a combination of vulnerabilities to achieve unauthenticated remote code execution. These attacks highlight the increasing focus on network security products as entry points for deeper network infiltration.

Open in new tab

Active Exploitation of Unpatched Cisco AsyncOS Zero-Day in SEG and SEWM Appliances

Cisco has identified an unpatched, critical zero-day vulnerability (CVE-2025-20393) in AsyncOS, affecting Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw is actively exploited by a Chinese threat group, UAT-9686, to deploy backdoors and other malware. The attacks have been ongoing since at least late November 2025. Cisco has released security updates for the vulnerability and recommends securing and restricting access to vulnerable appliances. The vulnerability allows threat actors to execute arbitrary commands with root privileges and deploy tools like AquaShell, AquaTunnel, Chisel, and AquaPurge. CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog, requiring FCEB agencies to apply mitigations by December 24, 2025. Additionally, GreyNoise detected a coordinated campaign targeting enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals.

Open in new tab