WeepSteel malware in Sitecore ViewState attacks
Malware Activity
Summary
Hide ▲
Show ▼
The WeepSteel malware was delivered in a ViewState payload during attacks on Sitecore deployments, enabling internal reconnaissance inside compromised environments. The activity matters because the payload was part of an exploitation chain that also supported post-compromise access and follow-on collection.
Related Happenings
Plain-crypto-js remote-access Trojan delivery
Malware Activity
First: 31.03.2026 23:55
Last: 31.03.2026 23:55
Sources 1
About this happening:
The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Plain-crypto-js remote-access Trojan delivery
Malware ActivityAbout this happening: The malicious **plain-crypto-js** dependency delivered a **remote-access Trojan (RAT)** that can run on **Windows, Linux, and Mac**, extending the open-source supply-chain comprom...
Latest development: 04.04.2026 23:30
Google Threat Intelligence Group linked the Axios npm compromise to UNC1069, a financially motivated North Korea-nexus threat actor, based on the use of WAVESHAPER.V2 and overlaps with infrastructure artifacts used by UNC1069 in past activity. The Axios maintainers also wiped affected systems, reset all credentials, and are implementing changes to prevent similar incidents.
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
Vulnerability
First: 09.02.2026 10:37
Last: 09.02.2026 10:37
Sources 1
About this happening:
**React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
React/Next.js applications React2Shell RCE flaw (CVE-2025-55182)
VulnerabilityAbout this happening: **React2Shell (CVE-2025-55182)** is being **heavily exploited** in **React Server Components (RSC)**, with Huntress observing attackers deliver **cryptocurrency miners** and new m...
Latest development: 09.03.2026 23:45
Google reports that newly disclosed third-party flaws are increasingly being exploited for initial access to cloud environments, with React2Shell (CVE-2025-55182) and CVE-2025-24893 highlighted as frequent RCE examples. The report says attackers are weaponizing new flaws within days, with cryptominers observed within 48 hours of vulnerability disclosure.
Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)
Vulnerability
First: 16.01.2026 09:18
Last: 16.01.2026 09:18
Sources 1
How related:
The issue, tracked as CVE-2025-53690 (CVSS score of 9.0), is described as a deserialization of untrusted data bug affecting Sitecore Experience Manager (XM) and Experience Platform (XP) prior to version 9.0 that were deployed using the sample key exposed in the guides.
About this happening:
**CVE-2025-53690** is a **critical Sitecore vulnerability** under **active exploitation** for **initial access**. **CISA** advised **FCEB agencies** to update **Sitecore** by **Se...
Sitecore actively exploited zero-day vulnerability (CVE-2025-53690)
VulnerabilityHow related: The issue, tracked as CVE-2025-53690 (CVSS score of 9.0), is described as a deserialization of untrusted data bug affecting Sitecore Experience Manager (XM) and Experience Platform (XP) prior to version 9.0 that were deployed using the sample key exposed in the guides.
About this happening: **CVE-2025-53690** is a **critical Sitecore vulnerability** under **active exploitation** for **initial access**. **CISA** advised **FCEB agencies** to update **Sitecore** by **Se...
BadAudio malware delivery and loader activity
Malware Activity
First: 21.11.2025 00:12
Last: 21.11.2025 00:12
Sources 1
About this happening:
The **BadAudio** malware was used in a sustained delivery-and-loader operation that enabled payload staging against **Windows** victims, including at least one observed **Cobalt S...
BadAudio malware delivery and loader activity
Malware ActivityAbout this happening: The **BadAudio** malware was used in a sustained delivery-and-loader operation that enabled payload staging against **Windows** victims, including at least one observed **Cobalt S...
Timeline
-
04.09.2025 11:46 2 articles · 8mo ago
Google warns of WeepSteel delivery in Sitecore ViewState attacks
Initial DisclosureGoogle warned that threat actors used an exposed ASP.NET machine key in Sitecore deployments to execute ViewState deserialization attacks against internet-accessible Sitecore instances, tracked as CVE-2025-53690. The attackers delivered a ViewState payload containing WeepSteel, a .NET assembly that can harvest system, network, and user information and support internal reconnaissance, while also performing server fingerprinting, web-root archiving, account creation, and RDP-enabled follow-on activity on compromised Sitecore environments. Sitecore said updated deployments automatically generate a unique machine key and released mitigation guidance and indicators-of-compromise.
Show sources
- Hackers Exploit Sitecore Zero-Day for Malware Delivery — www.securityweek.com — 04.09.2025 11:46
- Hackers Exploit Sitecore Zero-Day for Malware Delivery — www.securityweek.com — 04.09.2025 11:46