Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Godzilla (BLUEBEAM) web shell and Cobalt Strike deployment via KnowledgeDeliver exploitation

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The Godzilla (BLUEBEAM) web shell is now being used after CVE-2026-5426 exploitation to run commands and stage Cobalt Strike Beacon, giving attackers a durable foothold on KnowledgeDeliver servers. The chain turns a patched LMS flaw into post-exploitation malware activity that can extend control from server access to user-system infection. The payload chain used malicious JavaScript and a fake installer to deliver the beacon. The payload was prepared for a specific targeted organization, increasing the chance of tailored follow-on abuse.

Related Happenings

Digital Knowledge KnowledgeDeliver ViewState deserialization RCE (CVE-2026-5426)

Vulnerability
First: 26.05.2026 08:19 Last: 26.05.2026 08:19 Sources 1

How related: A now-patched high-severity security flaw affecting Digital Knowledge KnowledgeDeliver, a Learning Management System (LMS) popular in Japan, was exploited as a zero-day to deliver the Godzilla web shell and ultimately facilitate the deployment of Cobalt Strike Beacon.

About this happening: A **now-patched** **CVE-2026-5426** in **Digital Knowledge KnowledgeDeliver** was exploited as a **zero-day**, exposing affected LMS deployments to **unauthenticated remote code e...

Latest development: 26.05.2026 23:07

In **late 2025**, attackers used the flaw as a **zero-day** against a **KnowledgeDeliver server** to inject a malicious script before escalating to signed **ViewState** payloads and web-shell deployment.

Open Happening

UNC1069 Axios npm supply-chain campaign targeting build pipelines

Campaign
First: 01.04.2026 10:44 Last: 01.04.2026 10:44 Sources 1

About this happening: The **Axios npm supply-chain compromise** has been tied to **UNC1069**, putting **npm consumers** and downstream **build pipelines** at risk from trojanized releases. Attackers se...

Latest development: 13.04.2026 20:39

OpenAI is revoking and rotating potentially exposed macOS code-signing certificates after a GitHub Actions workflow executed a compromised Axios package version 1.14.1 during a March 31, 2026 supply-chain attack. The workflow had access to certificates used to sign ChatGPT Desktop, Codex, Codex CLI, and Atlas, and OpenAI says it found no evidence that user data, systems, intellectual property, or the signing certificate were compromised.

Open Happening

GlassWorm supply-chain malware wave across GitHub, npm, and VSCode/OpenVSX

Malware Activity
First: 17.03.2026 23:42 Last: 17.03.2026 23:42 Sources 1

About this happening: **GlassWorm** returned in a **new coordinated supply-chain attack** that compromised **433 components** across **GitHub, npm, and VSCode/OpenVSX**, creating a broad software-distr...

Latest development: 28.04.2026 00:41

GlassWorm returned in an OpenVSX supply-chain wave with 73 cloned sleeper extensions that were benign at upload and later turned malicious after an update, with six already activated to deliver malware. The extensions act as thin loaders that fetch payloads through GitHub-hosted secondary VSIX packages, platform-specific .node modules, or heavily obfuscated JavaScript, shifting the campaign toward submitting innocuous extensions first and introducing the malicious payload later.

Open Happening

Havoc Demon payload deployment and persistence operation

Malware Activity
First: 03.03.2026 19:15 Last: 03.03.2026 19:15 Sources 1

About this happening: A **fake IT support** operation is deploying **Havoc Demon** payloads to preserve access across compromised endpoints and support likely **data exfiltration** or **ransomware** fo...

Open Happening

DCRat delivered through PowerShell and MSBuild in PHALT#BLYX

Malware Activity
First: 06.01.2026 14:13 Last: 06.01.2026 14:13 Sources 1

About this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...

Open Happening

Timeline

  1. 26.05.2026 08:19 2 articles · 1d ago

    Godzilla web shell and Cobalt Strike Beacon deployed on KnowledgeDeliver servers

    Exploitation Observed

    Google Mandiant and GTIG reported that an unknown threat actor exploited CVE-2026-5426 in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026, used the access to inject malicious code into the LMS platform, deployed the Godzilla (aka BLUEBEAM) web shell, tampered with an application JavaScript file, and ultimately delivered Cobalt Strike Beacon to infected user machines.

    Show sources
    Open in new tab