CyberSecurityBoard
Sponsor Register Login

Threat Actors Exploiting Windows & Linux Servers Vulnerability to Deploy Web Shell

A sophisticated cyber attack campaign targeting South Korean web servers has emerged, with threat actors deploying MeshAgent and SuperShell malware to compromise both Windows and Linux infrastructure. Evidence suggests the threat actors maintain operations across both Windows IIS servers and Linux systems, indicating a well-resourced operation with cross-platform capabilities that spans multiple operating system architectures. The discovered malware repository contains WogRAT, a backdoor that shares infrastructure with previous attack campaigns, suggesting operational continuity by the same threat group across multiple attack vectors. The campaign represents a significant evolution in web server exploitation tactics, where attackers initially gain access through vulnerable file upload mechanisms before deploying an arsenal of reconnaissance and persistence tools. The researchers noted that these tools, combined with Chinese-language reconnaissance utilities like Fscan and Ladon, strongly indicate Chinese-speaking threat actors orchestrating the campaign through coordinated infrastructure management. The multi-platform assault demonstrates an escalation in attack complexity, as adversaries leverage file upload vulnerabilities to establish persistent footholds across diverse server environments. This methodical approach demonstrates advanced persistent threat characteristics, with the ultimate objective remaining undetermined but potentially involving sensitive data exfiltration or ransomware deployment across organizational infrastructure. Following initial reconnaissance, the threat actors deploy SuperShell, a Go-language reverse shell supporting Windows, Linux, and Android platforms. The malware establishes persistence through MeshAgent, which provides comprehensive remote management functions including file transfer, command execution, and web-based remote desktop access. The attack methodology follows a systematic approach beginning with web shell deployment through file upload vulnerabilities in web server configurations.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 27 Jun 2025 15:15:12 +0000


Cyber News related to Threat Actors Exploiting Windows & Linux Servers Vulnerability to Deploy Web Shell

Staying ahead of threat actors in the age of AI - At the same time, it is also important for us to understand how AI can be potentially misused in the hands of threat actors. In collaboration with OpenAI, today we are publishing research on emerging threats in the age of AI, focusing on identified ...
1 year ago Microsoft.com Kimsuky
Operation Morpheus took down 593 Cobalt Strike servers used by threat actors - Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Experts released PoC exploit code for a critical bug in Progress Telerik Report Servers. Threat actors may have exploited a zero-day in older iPhones, Apple warns. Nation-state ...
11 months ago Securityaffairs.com CVE-2024-0769 CVE-2022-38028 CVE-2023-49103 CVE-2023-46747 CVE-2023-46748 CVE-2023-4966 APT28
CVE-2021-36845 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions < 1.3.8, there are 46 vulnerable parameters that were missed by the vendor while patching the 1.3.7 version to 1.3.8. ...
3 years ago
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
1 year ago
TeamCity Intrusion Saga: APT29 Suspected Among the Attackers Exploiting CVE-2023-42793 - As part of this analysis, we look at threat actor TTPs employed throughout the intrusion and how they were identified and pieced together by the FortiGuard IR team. The following section of this report focuses on the activities of one of these threat ...
1 year ago Feeds.fortinet.com CVE-2023-42793 APT29
CERT-UA warns of malware campaign conducted by threat actor UAC-0006 - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Recent DarkGate campaign exploited ...
1 year ago Securityaffairs.com CVE-2023-49103 CVE-2023-46747 CVE-2023-46748 CVE-2023-4966 CVE-2023-3519
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
1 year ago Cisa.gov
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
1 year ago Cisa.gov
New ATM Malware family emerged in the threat landscape - Threat actors may have exploited a zero-day in older iPhones, Apple warns. Microsoft fixed two zero-day bugs exploited in malware attacks. Threat actors actively exploit JetBrains TeamCity flaws to deliver malware. Raspberry Robin spotted using two ...
1 year ago Securityaffairs.com CVE-2023-49103 CVE-2023-46747 CVE-2023-46748 CVE-2023-4966
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
11 months ago Securityaffairs.com CVE-2024-0769 CVE-2024-29849 CVE-2022-38028 CVE-2024-0204 CVE-2023-49103 CVE-2023-46747 CVE-2023-46748 CVE-2023-20198 CVE-2023-4966 CVE-2023-40044 CVE-2023-38035 APT28
Threat actors actively exploit D-Link DIR-859 router flaw - MUST READ. Threat actors actively exploit D-Link DIR-859 router flaw CVE-2024-0769. Expert released PoC exploit code for Veeam Backup Enterprise Manager flaw CVE-2024-29849. CISA adds D-Link DIR router flaws to its Known Exploited Vulnerabilities ...
11 months ago Securityaffairs.com CVE-2024-0769 CVE-2024-29849 CVE-2022-38028 CVE-2024-0204 CVE-2023-49103 CVE-2023-46747 CVE-2023-46748 CVE-2023-20198 CVE-2023-4966 CVE-2023-40044 CVE-2023-38035 APT28
Threat Actors Exploiting Windows & Linux Servers Vulnerability to Deploy Web Shell - A sophisticated cyber attack campaign targeting South Korean web servers has emerged, with threat actors deploying MeshAgent and SuperShell malware to compromise both Windows and Linux infrastructure. Evidence suggests the threat actors maintain ...
3 hours ago Cybersecuritynews.com
Threat actors misuse OAuth applications to automate financially driven attacks - Threat actors are misusing OAuth applications as an automation tool in financially motivated attacks. Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious ...
1 year ago Microsoft.com
Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours - In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol host, leading to data exfiltration and the deployment of Trigona ransomware. On Christmas Eve, within just three hours of gaining initial access, ...
1 year ago Thedfirreport.com Trigona
20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
2 months ago Cybersecuritynews.com
Web Shells Gain Sophistication for Stealth, Persistence - Web shells, a common type of post-exploitation tool that provides easy-to-use interface through which to issue commands to a compromised server, have become increasingly popular as attackers become more cloud-aware, experts say. A Web shell known as ...
1 year ago Darkreading.com
Godzilla Web Shell Attacks Stomp on Critical Apache ActiveMQ Flaw - Threat actors have unleashed a fresh wave of cyberattacks targeting a critical remote code-execution vulnerability in Apache ActiveMQ, for which the Apache Software Foundation issued a patch back in October. In many of the attacks, the adversary has ...
1 year ago Darkreading.com CVE-2023-46604
TellYouThePass ransomware joins Apache ActiveMQ RCE attacks - Internet-exposed Apache ActiveMQ servers are also targeted in TellYouThePass ransomware attacks targeting a critical remote code execution vulnerability previously exploited as a zero-day. The flaw, tracked as CVE-2023-46604, is a maximum severity ...
1 year ago Bleepingcomputer.com CVE-2023-46604
Automating Threat Intelligence Enrichment In Your SIEM With MISP - In conclusion, automating threat intelligence enrichment between MISP and your SIEM using Python is a transformative step for any security operations center. This article explores how to architect, implement, and operationalize automated threat ...
2 months ago Cybersecuritynews.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
1 year ago Cyberdefensemagazine.com Hunters
How To Implementing MITRE ATT&CK In SOC Workflows - A Step-by-Step Guide - By understanding the framework, mapping your current capabilities, developing targeted detection and response strategies, and integrating ATT&CK into your tools and processes, you can build a proactive, threat-informed defense that evolves ...
2 months ago Cybersecuritynews.com
Turkish Cyber Threat Targets MSSQL Servers With Mimic Ransomware - A sophisticated attack campaign codenamed RE#TURGENCE by researchers has been discovered infiltrating Microsoft SQL database servers across the United States, European Union, and Latin America, with the primary aim of deploying Mimic ransomware ...
1 year ago Darkreading.com
New Tool Set Found Used Against Organizations in the Middle East, Africa and the US - Unit 42 researchers observed a series of apparently related attacks against organizations in the Middle East, Africa and the U.S. We will discuss a set of tools used in the course of the attacks that reveal clues about the threat actors' activity. We ...
1 year ago Unit42.paloaltonetworks.com
LockBit attacks continue via ConnectWise ScreenConnect flaws - Exploitation of two critical ConnectWise vulnerabilities continues to mount, with many attacks attributed to ransomware gangs such as LockBit. Last month, ConnectWise disclosed an authentication bypass vulnerability, tracked as CVE-2024-1708, that ...
1 year ago Techtarget.com CVE-2024-1708 CVE-2024-1709 LockBit
What Is Threat Modeling? - Threat modeling emerges as a pivotal process in this landscape, offering a structured approach to identify, assess, and address potential security threats. Threat Modeling Adoption and Implementation The successful adoption of threat modeling within ...
1 year ago Feeds.dzone.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)