Aggregator

A vulnerability was found in FoundDream miniclawd up to 2d65665046e2222eeea76cafc8570ed546a8c125. It has been classified as critical. This affects the function which of the file /src/application/skills-loader.ts of the component SkillsLoader. Performing a manipulation of the argument requires.bins results in command injection. This vulnerability was named CVE-2026-9453. The attack may be initiated remotely. In addition, an exploit is available. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. It has been declared as critical. This vulnerability affects the function setOpenVpnCertGenerationCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. Executing a manipulation of the argument servername can lead to os command injection. The identification of this vulnerability is CVE-2026-9454. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. It has been rated as critical. This issue affects the function UploadOpenVpnCert of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument FileName leads to os command injection. This vulnerability is referenced as CVE-2026-9455. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability was found in Apache Airflow FAB provider up to 3.6.3. It has been declared as critical. This issue affects some unknown processing. The manipulation results in ldap injection. This vulnerability is known as CVE-2026-46745. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability categorized as critical has been discovered in Kenik KG-5230TAS-IL-3, KG-5230TAS-IL-G3, KG-5230DAS-IL-G3, KG-5260TZAS-IL-3, KG-5260DZAS-IL-3, KG-5260TZAS-IL-G3, KG-5260DZAS-IL-G3 and KG-5260xxxx-IL- 2. The affected element is an unknown function. Such manipulation leads to path traversal. This vulnerability is uniquely identified as CVE-2026-7766. The attack can only be initiated within the local network. No exploit exists. It is advisable to upgrade the affected component.

A vulnerability categorized as critical has been discovered in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function setOpenVpnCfg of the file /cgi-bin/cstecgi.cgi of the component Web Management Interface. The manipulation of the argument enabled results in os command injection. This vulnerability is identified as CVE-2026-9456. The attack can be executed remotely. Additionally, an exploit exists.

Cloud Atlas строит запасные каналы доступа, которые переживают любую «чистку».

Submit #806507 / VDB-360890

Monday recap. Same mess, new week. A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times. Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually

A vulnerability identified as critical has been detected in Krajowa Izba Rozliczeniowa Szafir SDK up to 462. The impacted element is an unknown function of the component Certificate Chain Handler. Performing a manipulation results in unnecessary complexity in protection mechanism. This vulnerability was named CVE-2026-9058. The attack may be initiated remotely. There is no available exploit. You should upgrade the affected component.

A vulnerability was found in Xreader. It has been declared as critical. This impacts the function ev_spawn of the file ev-application.c. The manipulation results in command injection. This vulnerability is cataloged as CVE-2026-46529. The attack may be launched remotely. There is no exploit available. A patch should be applied to remediate this issue.

While Russian-speaking threat actors have historically dominated the phishing-as-a-service (PhaaS) landscape, a rival ecosystem is rapidly growing within the Chinese-language underground. Google Threat Intelligence Group (GTIG) analyzed a dozen current PhaaS offerings in the Chinese underground, all of them mature services and many likely tied intricately to the broader criminal ecosystem in that region. These services not only lower the barrier to entry for Chinese cyber criminals, but reveal broader patterns on the evolution of social engineering and credential theft. Late last year, Google took legal action against one PhaaS provider and has worked since then to endorse legislation and enact technical safeguards against these types of scams.

Within this ecosystem, GTIG has observed a fundamental move away from static password harvesting towards real-time interception and tokenization. By utilizing live administration panels, attackers can interact with victims in real-time to capture one-time passcodes (OTPs), allowing them to bypass multifactor authentication (MFA) instantly.

Instead of simply gaining account access, these operations focus on exploiting digital wallet provisioning to transform stolen payment data into tokenized assets within ecosystems. This shift—combined with the use of encrypted delivery channels like RCS and iMessage to bypass traditional carrier security filters on SMS messages—represents an emerging development where the goal is no longer just a login, but securing direct, unauthorized control over a victim's financial accounts.

Figure 1: Example phishing site chain

The Chinese-Language PhaaS Ecosystem 

The Chinese-language PhaaS ecosystem is not merely a regional mirror of Russian operations – it is a distinct market shaped by a unique professional culture. Nearly all the legitimate organizations mimicked by these phishing services are non-Chinese entities, suggesting they rarely target China.

• Public impact: Unlike the major Russia-based PhaaS offerings that are typically used to target customers of large organizations, phishing services advertised in Chinese-language communities are often designed to target the general public more opportunistically.

• Open Operations: In contrast to their Russian-speaking counterparts, providers of Chinese-language phishing services often operate openly with less regard for operational security. For instance, the threat actors running these services regularly post photos of their luxury lifestyles on Telegram.

• Focus on Telegram: Advertisements for the phishing services are regularly posted to Telegram rather than channels such as WeChat (Weixin) or Tencent QQ, which are regionally more popular. This approach is consistent with the broader Chinese-language cyber crime ecosystem.

• Extensive offering: While PhaaS is at the core of these operations, these developers also typically offer numerous ancillary services, forming a complete, mature, and extensive offering. These include the sale of personally identifiable information (PII), domain name registration and virtual private server (VPS) hosting services, server rentals, money laundering services, eavesdropping devices (International Mobile Subscriber Identity [IMSI] catchers), and message sending services (spamming assistance). Some platform vendors are also involved in trading stolen payment card information. 

Notable Chinese-Language PhaaS TTPs

1. Delivery via RCS and iMessage: These attacks begin by exploiting trust in modern communication. Rather than traditional SMS, these Chinese-language PhaaS operators heavily leverage Rich Communication Services (RCS) and Apple’s iMessage. Protocols that use end-to-end encryption make it difficult for server-side delivery infrastructure to inspect or filter malicious links, which makes on-device protections critical. Messages also contain more extensive engagement features (including read receipts, typing indicators, group chat functionalities, as well as the ability to send high-resolution images, videos, and larger files). This makes them ideal for social engineering operations, as lures appear remarkably legitimate to the average user. 
2. Real-time Interception: When a victim clicks a malicious link and enters their credentials, the data is displayed instantly on an administrative panel. This allows an adversary to interact with the victim in real-time. As the victim is prompted for an OTP, an attacker simultaneously triggers that same OTP request on their own device. The victim enters the code into the phishing page, and the attacker captures it seconds before it expires.
3. Leveraging Digital Wallets for Monetization: A defining characteristic of these operations is their exploitation of digital wallet provisioning to monetize stolen payment details. Attackers use captured credentials and OTPs to provision the victim’s card into a digital wallet on an attacker-controlled device. Once tokenized, the card can be used for high-value transactions, contactless payments, and ATM withdrawals. While payment card data theft is the focus, this ecosystem also develops brokerage-focused templates, which can be used to facilitate traditional account takeovers (ATO) for wire fraud and stock manipulation.
4. AI-Based Automation: Multiple Chinese-language PhaaS operators have adopted AI for their operations to enable scale and stealth. As one example, the Darcula PhaaS platform, which we link to UNC5814, has moved away from static templates, instead utilizing AI-powered page generators and browser automation tools like Puppeteer. This enables users to clone legitimate websites by replicating their HTML, CSS, JavaScript, and visual elements through providing the target website's URL. As each phishing page is unique as opposed to relying on static templates, signature-based detection methods are rendered increasingly ineffective. 

Localization-as-a-Service

The Chinese-speaking PhaaS ecosystem has shifted towards a highly automated model capable of generating localized content for diverse international markets. Unlike traditional phishing kits that have historically relied on static and poorly translated templates, these operators provide the infrastructure for cultural fluency at scale. By offering everything from AI-powered page generators to region-specific delivery assistance, they enable low-skilled affiliates to launch high-fidelity campaigns. 

YY Lai Yu (YY来鱼): A Case Study in Localization

YY Lai Yu (YY来鱼), first advertised in August 2024, is one example of a PhaaS offering that provides a local digital ecosystem. While the platform supports phishing across 119 countries, its largest focus has been on Japan. Managed by a core team including "YY Lai Yu," "Jeffrey Carrie," and "Very casual," the service provides Chinese-speaking threat actors with the localized infrastructure necessary to effectively target the Japanese consumer ecosystem.

Figure 2: A graph of countries targeted by YY Lai Yu (YY来鱼) phishing

Figure 3: A YY Lai Yu (YY来鱼) phishing page targeting a Japanese user’s Apple account

Figure 4: A YY Lai Yu (YY来鱼) phishing page targeting a Japanese user’s PayPay account, the largest Japanese mobile payment app

Since November 2025, YY Lai Yu has offered more than 400 phishing templates to its customers, moving beyond generic banking lures to also target the digital lifestyle of Japanese residents. These templates included various Japanese language and Japanese brands, including for Amazon, Apple, DMM, Epos Card, JA Bank, JCB Card, JR (Rail), Matsui Securities, Mercari, Monex, Nintendo, Nomura Securities, Orico Card, PayPay, Rakuten Securities, and Sagawa Express. However, instead of merely providing fake account pages, the threat actors tapped heavily into local consumer habits by developing "points" (积分) and rewards redemption lures, pressuring victims to redeem supposedly expiring loyalty points for cash or goods. Demonstrating a deep awareness of the local economic climate, the operators also exploited cost-of-living concerns by crafting lures around the Japan Winter Electricity Subsidy. 

By deploying distinct domains that impersonate everything from local transit and payment apps to major e-commerce and gaming platforms, YY Lai Yu provides an example of how comprehensive these PhaaS offerings have become. To protect this highly localized infrastructure, the phishing sites featured a unique human verification anti-bot screen that appeared prior to the actual phishing page. By requiring a manual click to proceed, this mechanism successfully hindered automated analysis by security vendors, adding a layer of stealth to the localized campaign.

Like most other services, YY Lai Yu leverages RCS and iMessage to send encrypted messages in bulk and supports synchronized interactions with victims to harvest payment card and OTP data. The administration panel allows users to query their phished data and blocklist or highlight certain types of cards according to their BIN number, blocklist individual countries or territories, and register and manage new domains for their phishing pages using Alibaba's domain registration service. Additionally, panel administrators can create new operator users and assign them permissions. The service also offers domains that can be purchased within the administration panel. 

While YY Lai Yu showcases a focus on countries like Japan, the broader Chinese PhaaS ecosystem casts a wide global net. GTIG has observed other prominent services routinely deploying automated infrastructure to compromise users across the Americas, Europe, Australia, and the Middle East. 

Outlook 

The continued popularity of these services demonstrates a sustained interest in payment card fraud from China-based threat actors. The multitude of sophisticated PhaaS platforms available for purchase and the threat actors' focus on the exploitation of digital wallet tokenization and MFA bypass demonstrates that the China-based criminal ecosystem continues to evolve, enabling threat actors with limited technical skills to conduct phishing operations. 

Standard phishing security measures (such as user awareness training) remain an important first line of defense. However, the proliferation of the Chinese-language PhaaS ecosystem underscores a need for technical security controls that go beyond user education. For example, transitioning to FIDO2/WebAuthn infrastructure represents an effective countermeasure against the real-time interception of account authentication OTPs. While security keys cannot prevent a user from entering payment details into a novel phishing site directly, increasing the difficulty of leveraging stolen credentials still radically shrinks an adversary's opportunities. These enterprise authentication upgrades should be paired with risk-based verification and device fingerprinting by issuing banks during the digital wallet provisioning process.

As these operators continue to refine their tooling, the goal for defenders must shift from simply "detecting" a phish to making the victim's credentials technically impossible to weaponize. Ongoing and frequent updates to these platforms indicate that Chinese-speaking PhaaS operators are continuing to refine their tooling to maximize global impact.

Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek

Introduction

In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site.

This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426.

The Vulnerability

KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads.

Because these keys were identical across independent customer environments, a threat actor who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance.

The following is an example of the relevant configuration line found in the web.config file:

<machineKey decryptionKey="<REDACTED>" validationKey="<REDACTED>" />

The ASP.NET ViewState persists page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it.

This technique follows the pattern of the ViewState Deserialization Zero-Day Vulnerability affecting Sitecore (previously reported by Mandiant), and Code injection attacks using publicly disclosed ASP.NET machine keys reported by Microsoft. This highlights how it is critical to keep the machine key unique and secure.

Post-Exploitation Activity

Once access was established, the threat actors focused on maintaining their presence and expanding the impact of the compromise.

BLUEBEAM Web Shell Deployment

The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla). The use of BLUEBEAM is consistent with the Microsoft reporting. This malware operates entirely in memory within the IIS worker process (w3wp.exe), making it difficult to detect through traditional file-based scanning. It allows threat actors to execute further commands and payloads by sending encrypted data via HTTP POST request bodies.

File Tampering

The threat actor was observed executing commands to escalate their control over the web server's file system:

1. Permission Modification: The threat actor used icacls to grant "Everyone" full access to the web application directory.

2. JavaScript Tampering: The threat actor modified an application JavaScript file, adding code to perform the following:

• Display a fake security alert, prompting users to install a "security authentication plugin".

• Silently load a remote malicious script hosted on a threat actor-controlled domain.

Cobalt Strike Infection

The remote script convinced users to download a fake installer, which led to workstations being infected with a Cobalt Strike BEACON backdoor. The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization.

How to Hunt for This Activity

Organizations should monitor for the following indicators to identify potential ViewState exploitation and post-exploitation activity.

1. Application Event Logs (Event ID 1316)

Monitor the Windows Application log for Event ID 1316 from the source ASP.NET 4.0.30319.0 (or similar).

• Failed Attempt (Integrity Failure): Event code: 4009-++-Viewstate verification failed. Reason: The viewstate supplied failed integrity check. May indicate an attack attempt with an incorrect key.

• Successful Execution (Invalid ViewState): Event code: 4009-++-Viewstate verification failed. Reason: Viewstate was invalid. Confirms integrity checks were passed. Deserialization of the payload was attempted and may have succeeded. The payload may or may not have been executed. 

Mandiant decrypted payload strings recorded in the event log messages with the server’s machine keys and recovered a payload related to a BLUEBEAM web shell.

2. Suspicious Process Activity

Monitor for unusual child processes spawned by w3wp.exe. Commands observed include:

• cmd.exe /c ...

• whoami

• powershell.exe

3. File Integrity Monitoring

Monitor for unauthorized changes to .js, .aspx, or .config files within the web root. Specifically, look for the addition of remote script loaders or unusual logic in commonly used libraries.

4. Anomalous User-Agent Strings

Mandiant identified User-Agent strings consisting of two distinct identifiers concatenated together, which were consistent with ones reported in ViewState Deserialization Zero-Day vulnerability. Monitor for web request logs for such anomalous User-Agent strings. The following are examples of identified User-Agent strings:

• Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

• Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

• Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36

Remediation and Mitigation

• Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance. This is the only way to invalidate the shared secret.

• Restrict Access: If possible, limit access to the LMS to known organizational IP address ranges.

• Investigation: Hunt for this activity, and conduct a thorough investigation if any signs of exploitation are identified.

Outlook and Implications

The exploitation of KnowledgeDeliver highlights the severe risks of using shared secrets in deployment templates. A single leaked key can compromise an entire ecosystem of installations. By implementing unique secrets and robust endpoint monitoring, organizations can defend against these deserialization attacks.

Indicators of Compromise (IOCs)

To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a free GTI Collection for registered users.

File Name

Type

SHA-256

LoadLibrary.dll

BLUEBEAM

7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2

Google Security Operations (SecOps) 

The following SecOps searches can be used to hunt for this activity.

(metadata.log_type = "WINEVTLOG" or metadata.log_type = "WINEVTLOG_XML") metadata.product_event_type = "1316" additional.fields["Message"] = /Event code: 4009\b/ nocase (metadata.event_type = "PROCESS_LAUNCH" or metadata.event_type = "PROCESS_OPEN") AND principal.process.command_line = /w3wp.exe/ nocase AND target.process.command_line = /cmd.+ \/c |whoami|powershell/ nocase

SecOps customers have access to the following rules and more under the Mandiant Hunting Rules, Mandiant Frontline Threats, Mandiant Intel Emerging Threats rule packs:

• ASP.NET ViewState Deserialization Attempt

• W3wp Launching Cmd With Recon Commands

• W3wp Launching Encoded Powershell

• W3wp Launching Icacls

• Web Server Process Launching Whoami

• IIS ViewState Exploitation Success

• IIS ViewState Exploitation Followed by Web Root File Tampering

• Possible Windows Exchange Server Spawning Shell

Acknowledgements

Mandiant would like to extend our thanks to the Digital Knowledge team for their collaboration regarding this disclosure.

Пакистанские СМИ заявили о победах J-10CE над Eurofighter Typhoon.

Authorities in the Netherlands have arrested the co-owners of two related Internet hosting companies for operating IT infrastructure used by Russia to carry out cyberattacks, influence operations and disinformation campaigns inside the European Union. The two men were the focus of a 2025 KrebsOnSecurity story about how their hosting companies had assumed control over the technical infrastructure of Stark Industries Solutions, an Internet service provider sanctioned last year by the EU as a frequent staging ground for cyber mischief from Russia's intelligence agencies.