• Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan.
• The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.
• The attacker utilizes plugins of the publicly available Cobalt Strike kit “TaoWu” for-post exploitation activities.
• Talos found a pre-configured installer script on the command and control (C2) server that deploys a full suite of adversarial tools and frameworks hosted on an Alibaba cloud container Registry, highlighting the potential misuse of such tools for malicious purposes by the attacker.
• Talos noticed the attacker’s attempt at stealing the victim’s machine credentials. However, we assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks.
• We reported an increasing trend of threat actors exploiting vulnerable public facing applications for initial access in our quarterly Talos Incident Response (Talos IR) report for Q4 2024, and the discovery of this intrusion highlights this ongoing activity.