Cisco Talos has recently brought to light a series of intricate cyberattacks that have been exploiting a critical vulnerability in PHP to infiltrate Windows systems. These attacks, which have been ongoing since January 2025, have primarily targeted organizations across various sectors in Japan, including technology, telecommunications, entertainment, education, and e-commerce.
The attackers are leveraging CVE-2024-4577, a remote code execution vulnerability found in the PHP-CGI implementation on Windows systems. This significant flaw arises from the “Best-Fit” behavior in Windows code pages, where specific characters in command-line inputs are misinterpreted. Consequently, the PHP-CGI module mistakenly interprets these characters as PHP options, allowing attackers to execute arbitrary PHP code on vulnerable servers running Apache with an affected PHP-CGI setup.
To exploit this vulnerability, the attackers employ a publicly available Python script named “PHP-CGICVE-2024-4577RCE.py.” This script sends meticulously crafted POST requests to targeted URLs, checking for a specific MD5 hash—“e10adc3949ba59abbe56e057f20f883e”—in the response, which confirms successful exploitation.
Once the vulnerability is confirmed, the attackers proceed to execute PowerShell commands through PHP code, enabling them to download and run a PowerShell injector script from their command and control (C2) server. Cisco Talos analysts have traced the attack chain, which begins with this initial exploitation and progresses through privilege escalation, persistence establishment, evasion of detection, lateral movement, and ultimately, credential theft.
Post-Exploitation Activities
Following initial access, the attackers deploy a PowerShell injector script that contains either base64-encoded or hexadecimal data blobs of Cobalt Strike reverse HTTP shellcode. Upon execution, this script injects the shellcode into the victim machine’s memory, establishing a connection to the C2 server over HTTP.
A glimpse of the obfuscated PowerShell code reveals the complexity of their methods:
Set-StrictMode -Version 2
function funcgetproc_address {
Param ($varmodule, $varprocedure)
$varunsafenative_methods = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object {
$.GlobalAssemblyCache -And $.Location.Split('')[-1].Equals('System.dll')
}).GetType('Microsoft.Win32.UnsafeNativeMethods')
}For their post-exploitation activities, the attackers utilize plugins from the “TaoWu” Cobalt Strike kit. They establish persistence by modifying registry keys and creating scheduled tasks with commands such as:
reg add "HKLMSoftwareMicrosoftWindowsCurrentVersionRun" /v Svchost /t REG
sharpTask.exe --AddTask Computer|local|hostname|ip 24h:time|12:30 some ServiIn their efforts to evade detection and erase traces of their activities, the attackers clear Windows event logs using commands like:
wevtutil cl security
wevtutil cl system
wevtutil cl application
wevtutil cl windows powershellFor lateral movement within the network, the attackers conduct reconnaissance using tools such as “fscan.exe” and “Seatbelt.exe” to identify potential targets:
fscan.exe -h 192[.]168[.]1[.]1/24
Seatbelt.exe -group=Remote -fullAdditionally, they exploit Group Policy Objects with “SharpGPOAbuse.exe” to execute malicious PowerShell scripts across the network, ultimately executing Mimikatz commands to extract passwords and NTLM hashes from the memory of compromised machines.
While the attackers’ techniques bear resemblance to those employed by a hacker group known as “Dark Cloud Shield” or “You Dun” during their 2024 campaigns, Cisco Talos refrains from attributing the current operations to this group based on the evidence available at this time.
Moreover, researchers have uncovered that the attackers possess access to a pre-configured installer script on their C2 server, capable of deploying a comprehensive suite of adversarial tools and frameworks hosted on an Alibaba cloud container registry. This discovery hints at potential future attack capabilities that extend beyond mere credential harvesting.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
