PHP-CGI RCE Flaw Exploited in Attacks on Japan’s Tech, Telecom, and E-Commerce Sectors

Mar 07, 2025Ravie LakshmananThreat Intelligence /Vulnerability

Threat actors of unknown provenance have been attributed to a malicious campaign predominantly targeting organizations in Japan since January 2025.

“The attacker has exploited the vulnerability CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines,” Cisco Talos researcher Chetan Raghuprasad said in a technical report published Thursday.

“The attacker utilizes plugins of the publicly available Cobalt Strike kit ‘TaoWu’ for-post exploitation activities.”

Targets of the malicious activity encompass companies across technology, telecommunications, entertainment, education, and e-commerce sectors in Japan.

It all starts with the threat actors exploiting the CVE-2024-4577 vulnerability to gain initial access and run PowerShell scripts to execute the Cobalt Strike reverse HTTP shellcode payload to grant themselves persistent remote access to the compromised endpoint.

The next step entails carrying out reconnaissance, privilege escalation, and lateral movement using tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt. Additional persistence is established via Windows Registry modifications, scheduled tasks, and bespoke services using the plugins of the Cobalt Strike kit called TaoWu.

“To maintain stealth, they erase event logs using wevtutil commands, removing traces of their actions from the Windows security, system, and application logs,” Raghuprasad noted. “Eventually, they execute Mimikatz commands to dump and exfiltrate passwords and NTLM hashes from memory on the victim’s machine.”

The attacks culminate with the hacking crew stealing passwords and NTLM hashes from the infected hosts. Further analysis of the command-and-control (C2) servers associated with the Cobalt Strike tool has revealed that the threat actor left the directory listings accessible over the internet, thereby exposing the full suite of adversarial tools and frameworks hosted on the Alibaba cloud servers.

Notable among the tools are listed below –

• Browser Exploitation Framework (BeEF), a publicly available pentesting software for executing commands within the browser context
• Viper C2, a modular C2 framework that facilitates remote command execution and generation of Meterpreter reverse shell payloads
• Blue-Lotus, a JavaScript webshell cross-site scripting (XSS) attack framework that enables the creation of JavaScript web shell payloads to conduct XSS attacks, capture screenshots, obtain reverse shell, steal browser cookies, and create new accounts in the Content Management System (CMS)

“We assess with moderate confidence that the attacker’s motive extends beyond just credential harvesting, based on our observation of other post-exploitation activities, such as establishing persistence, elevating to SYSTEM level privilege, and potential access to adversarial frameworks, indicating the likelihood of future attacks,” Raghuprasad said.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!