# Exploitation of CVE-2024-4577 in Targeted Attacks Against Japan

## Summary

Cisco Talos has uncovered an ongoing cyberattack campaign targeting organizations in Japan since January 2025. The attacker is exploiting CVE-2024-4577, a remote code execution vulnerability in the PHP-CGI implementation on Windows, to gain initial access. Post-exploitation activities involve the use of "TaoWu," a publicly available Cobalt Strike plugin, alongside a preconfigured installer script found on the command and control (C2) server. This script deploys multiple adversarial tools hosted on an Alibaba Cloud container registry, underscoring the risk of such resources being misused for malicious purposes. Further investigation revealed attempts to steal credentials, but evidence suggests broader objectives, including persistence, SYSTEM-level privilege escalation, and access to additional adversarial frameworks.

Cisco Talos' analysis of command and control (C2) server artifacts indicates that the attacker primarily targets organizations in Japan across various industries, including technology, telecommunications, entertainment, education, and e-commerce.

## Technical Details

The attacker exploits CVE-2024-4577, a remote code execution flaw in PHP-CGI on Windows, to gain initial access. Upon successful exploitation, they execute a PowerShell script to deploy a Cobalt Strike reverse HTTP shell, ensuring remote control over the compromised system. They conduct reconnaissance by gathering system details and user privileges before escalating access using exploits like JuicyPotato, RottenPotato, and SweetPotato to obtain SYSTEM-level privileges. Persistence is established through registry modifications, scheduled tasks, and malicious services, leveraging Cobalt Strike’s “TaoWu” plugins. To evade detection, the attacker clears event logs using wevtutil commands and conducts network reconnaissance with tools like “fscan.exe” and “Seatbelt.exe” to identify lateral movement opportunities. Additionally, they attempt to exploit Group Policy Objects with “SharpGPOAbuse.exe” for executing malicious PowerShell scripts across the network. Finally, credentials are stolen using Mimikatz to extract passwords and NTLM hashes from memory.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742881177504/9bf9ff1a-9aa4-43bf-a8ab-9a43f45d0b87.png align="center")

### Initial access

Cisco Talos identified that the attacker gains initial access by exploiting CVE-2024-4577, a critical RCE vulnerability in PHP-CGI on Windows. This flaw stems from how Windows code pages handle character replacements, allowing attackers to execute arbitrary PHP code on vulnerable servers. The attacker uses a publicly available exploit script, PHP-CGI\_CVE-2024-4577\_RCE.py, to check for vulnerabilities and execute PHP commands remotely.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742881198653/fd2e9bec-60f8-4792-aa87-832a7cb2248e.png align="center")

In this intrusion, the attacker embedded a PowerShell command within PHP code to trigger infection, leading to the download and execution of a PowerShell injector script in memory. This script contains a base64-encoded or hexadecimal Cobalt Strike reverse HTTP shellcode, which is injected into memory and connects to the C2 server 38\[.\]14\[.\]255\[.\]23 over HTTP port 8077. The connection uses specific URL paths ("/6Qeq" or "/jANd") and predefined user-agent strings to evade detection.

Once the shellcode establishes remote access, the attacker executes commands from the Cobalt Strike server using plugins from the TaoWu Cobalt Strike kit, facilitating post-exploitation activities such as privilege escalation, persistence, and credential theft.

### Reconnaissance

The attacker conducts reconnaissance by collecting system and user details from the victim's machine. They also verify time synchronization by remotely executing commands such as whoami /all to retrieve user privileges, dir to list directory contents, and net time to check the system’s time settings.

### Privilege escalation

The attacker attempts privilege escalation using JuicyPotato, RottenPotato, and SweetPotato exploits, which abuse Windows authentication and impersonation token handling to gain SYSTEM privileges. While Microsoft has patched these vulnerabilities in newer Windows versions, processes with the SeImpersonatePrivilege permission remain at risk. Additionally, the attacker leverages Ladon.exe, a plugin from the TaoWu Cobalt Strike kit, to bypass User Access Control (UAC) and execute malicious payloads on the victim machine.

### Persistence

The attacker establishes persistence by modifying registry keys, creating scheduled tasks, and configuring system services using commands and .NET plugins from the TaoWu Cobalt Strike kit. They use the reg add command to add the beacon executable path to the Run registry key, ensuring execution at startup. Additionally, they execute sharpTask.exe to schedule tasks, SharpHide.exe to create hidden registry keys, and SharpStay.exe to set up malicious services, allowing continued access to the compromised system.

### Detection evasion

The attacker attempts to cover their tracks by clearing Windows event logs using wevtutil.exe, a living-off-the-land binary (LoLBin). They execute commands to erase logs from security, system, application, and PowerShell event logs, removing forensic evidence of their activities on the compromised machine.

### Lateral movement

The attacker conducts network reconnaissance and lateral movement using fscan.exe and Seatbelt.exe to gather system details, identify accessible machines, and locate remote access configurations. They upload fscan.exe to the victim machine to scan the network for live hosts, open ports, and services. Using SharpGPOAbuse.exe, they manipulate Group Policy Objects (GPOs) to schedule a malicious PowerShell task across the network. The attacker also attempts unauthorized SSH access by brute-forcing credentials and injecting public keys. Additionally, they leverage fscan.exe to open a reverse shell, gaining remote control over compromised machines while executing commands stealthily.

### Credential access and exfiltration

The attacker uses Mimikatz to dump credentials from the victim machine’s memory, specifically targeting plaintext passwords and NTLM hashes stored in the LSASS process. By executing the sekurlsa::logonpasswords command, they extract login credentials, which can be used for privilege escalation and lateral movement. The stolen credentials are then exfiltrated over the attacker's command and control (C2) channel, enabling further access to the victim's network.

### Possible Attribution and Similar Attacks

The attacker exploited vulnerabilities in targeted systems to gain initial access and deployed Cobalt Strike reverse HTTP beacons for persistent remote access. They leveraged the TaoWu Cobalt Strike kit, utilizing tools such as sharpTask.exe, SharpHide.exe, SharpStay.exe, Ladon.exe, fscan.exe, and Mimikatz for post-exploitation activities. Similar tactics were previously linked to the hacker group “Dark Cloud Shield” (aka You Dun) in 2024, as reported by the DFIR Report. However, no direct attribution to You Dun has been made in this case, as the attack activity ceased after harvesting credentials from the victim’s machine, with no further malicious operations observed.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742881257061/e9158a8c-943d-465a-818e-8e690be49e93.png align="center")

## Exploitation of Offensive Security Tools for Malicious Activities

The attacker used two C2 servers, 38\[.\]14\[.\]255\[.\]23 and 118\[.\]31\[.\]18\[.\]77, hosted on Alibaba Cloud and running Cobalt Strike team servers. One of the servers (38\[.\]14\[.\]255\[.\]23) had an exposed root directory, revealing PowerShell scripts, Cobalt Strike beacon executables, exploits, and command execution logs.

Analysis showed the attacker downloaded and executed LinuxEnvConfig.sh from the yijingsec repository on Gitee, linked to Yijing Network Security Academy. The script configures environments for Ubuntu, Debian, and Kali Linux, deploying security tools such as Vulfocus, ARL, Viper C2, Starkiller, BeEF, and Blue-Lotus via Alibaba Cloud’s container registry.

It also modifies the system's DNS settings to 114\[.\]114\[.\]114\[.\]114, a Chinese 114DNS service. While attackers commonly abuse tools like Cobalt Strike, Metasploit, and PowerShell Empire, we rarely see them using Blue-Lotus, BeEF, and Viper C2.

### Blue-Lotus

Blue-Lotus is a Docker-based JavaScript webshell and XSS attack framework developed by Firesun\[.\]me, and the Blue Lotus team from Tsinghua University. Its administrative panel, primarily in Chinese, features an XSS dashboard that logs victim details such as IP addresses and browsers. The framework allows attackers to generate JavaScript webshell payloads for malicious activities, including executing XSS attacks, capturing screen data, obtaining reverse shell access, stealing browser cookies, and creating unauthorized CMS user accounts.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742881295490/0f3c8065-c3f3-487e-a4c1-e00f79c23e36.png align="center")

### BeEF

BeEF is a publicly available browser exploitation framework that enables attackers to hook into victim web browsers and execute commands within the browser context. It contains command modules with JavaScript code that allow attackers to identify XSS vulnerabilities in web pages, submit arbitrary requests on behalf of the hooked browser, interact with local network hosts, and send commands to victim systems using WebRTC communication.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742881316086/054f1d70-e630-406d-8709-e6b6b620d28c.png align="center")

### Viper C2

Viper C2 is a modular command-and-control (C2) framework with multiple plugins and scripts, offering extensive post-exploitation capabilities. It integrates with Metasploit’s Meterpreter console and scripts, allowing attackers to bypass antivirus software, create intranet tunnels, manage files on remote machines, execute remote commands, generate Meterpreter reverse shell payloads for Windows, Linux, and macOS, and visualize the network topology of a compromised environment.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1742881335194/ac6f10df-1e9b-413f-923b-bbab3905ba7f.png align="center")

## Conclusion

The ongoing cyberattack campaign targeting organizations in Japan highlights the persistent and evolving nature of adversary tactics. By exploiting CVE-2024-4577, attackers gain initial access to vulnerable systems, leveraging publicly available exploit scripts and open-source adversarial frameworks such as Cobalt Strike, Blue-Lotus, BeEF, and Viper C2. Their use of pre-configured installer scripts and containerized malware deployment via Alibaba Cloud further demonstrates the increasing sophistication of cyber threats.

The attack lifecycle involves reconnaissance, privilege escalation, persistence, detection evasion, lateral movement, and credential theft—tactics that align with previously observed cyber campaigns. Although no direct attribution has been established, the methodologies bear similarities to those used by groups such as "Dark Cloud Shield" (You Dun), emphasizing the need for ongoing vigilance and threat intelligence monitoring.
