Distribution of EtherRAT Malware Exploiting React2Shell Vulnerability (CVE-2025-55182)
AhnLab SEcurity intelligence Center (ASEC) recently discovered an advanced malware distribution campaign using Node.js while tracking the recently disclosed React2Shell vulnerability. This attack installs EtherRAT through multiple stages, with the ultimate goal of gaining a foothold, stealing information, and stealing cryptocurrency. After the threat actor accessed the IP address
Bypassing Mark of the Web (MoTW) via Windows Shortcuts (LNK): LNK Stomping Technique
Overview While Windows shortcut (LNK) files are designed for user convenience, they have long been exploited as initial access vectors by threat actors. Since Microsoft strengthened its macro-blocking policies in 2022, attackers have increasingly turned to alternative formats such as ISO, RAR, and LNK files in their attacks. LNK files
Zip Slip, Path Traversal Vulnerability during File Decompression
Overview Path traversal or directory traversal vulnerabilities are security vulnerabilities that occur mainly due to improper validation of user inputs. Attackers can read, modify, or even create new files that are originally inaccessible or located in unintended paths using relative or absolute paths. Although these vulnerabilities have been known for
Ransom & Dark Web Issues Week 2, March 2025
ASEC Blog publishes Ransom & Dark Web Issues Week 2, March 2025 New ransomware group SecP0 demands ransom for corporate vulnerabilities. Pro-Palestinian hacktivist group RipperSec claims DDoS attacks on South Korean telecom companies, public institutions, and education-related websites. Pro-Palestinian hacktivist group Dark Storm Team claims
Mauri Ransomware Threat Actors Exploiting Apache ActiveMQ Vulnerability (CVE-2023-46604)
AhnLab SEcurity intelligence Response Center (ASEC) has covered the attack cases targeting CVE-2023-46604 vulnerability in past blog posts. Systems without vulnerability patch are still being targeted, cases show that their intention is to mainly install CoinMiners. Recently, threat actors using Mauri ransomware have been found exploiting the Apache ActiveMQ vulnerability
Ransom & Dark Web Issues Week 1, October 2024
ASEC Blog publishes Ransom & Dark Web Issues Week 1, October 2024 Personal information of 100,000 Japanese doctors leaked on BreachForums API vulnerability of a major Saudi bank being traded on BreachForums UK National Crime Agency announces investigation update on LockBit
Jenkins Servers in Korea With Exposed Vulnerabilities (CVE-2024-23897, CVE-2024-43044)
Multiple vulnerabilities were announced for Jenkins, a widely used development tool, and some of them are being exploited in actual attacks. It was also found that most Jenkins servers in Korea were exposed to these vulnerabilities. The CVE-2024-23897 vulnerability disclosed earlier this year allows unauthenticated users to read arbitrary files
Android Malware & Security Issue 3st Week of August, 2024
ASEC Blog publishes “Android Malware & Security Issue 3st Week of August, 2024”
Ransom & Dark Web Issues Week 2, Jun 2024
ASEC Notes publishes Ransom & Dark Web Issues Week 2, Jun 2024
Warning Against Cisco IOS XE Software Web UI Vulnerabilities (CVE-2023-20198, CVE-2023-20273)
Overview This month, Cisco released a security advisory regarding two vulnerabilities currently being actively exploited in actual attacks: CVE-2023-20198 and CVE-2023-20273. These vulnerabilities are present in the web UI feature of Cisco IOS XE Software. The CVE-2023-20198 vulnerability allows an unauthorized threat actor to create an arbitrary account with level
