Attackers with ties to China pursue long-term access rather than smash-and-grab. They scan old but still exposed flaws Log4Shell, Apache Struts RCE, Confluence OGNL, and GoAhead until one host gives way. Then they live off the land. They schedule tasks, launch msbuild.exe to run hidden payloads, inject into csc.exe, and beacon with low-noise tradecraft. Because they favor persistence over spectacle, they quietly map domain controllers and stage credential theft while teams chase unrelated alerts.
๐ง๐ฎ๐ฟ๐ด๐ฒ๐ ๐ฎ๐ป๐ฑ ๐ถ๐ป๐ณ๐ถ๐น๐๐ฟ๐ฎ๐๐ถ๐ผ๐ป ๐ณ๐น๐ผ๐
Operators scanned a public-facing server in early April and probed multiple legacy vectors: CVE-2021-44228 (Log4j), CVE-2022-26134 (Confluence), CVE-2017-9805 (Struts), and CVE-2017-17562 (GoAhead). After days of quiet, they returned, tested outbound reach with curl, and shifted to discovery with netstat. Next, they planted a scheduled task that launched msbuild.exe on a timer. Because msbuild is trusted, EDR often ranks it low-risk unless analysts follow the process tree.
๐๐๐ก๐๐๐๐: ๐บ๐๐ฏ๐๐ถ๐น๐ฑ โ ๐ถ๐ป๐ท๐ฒ๐ฐ๐ ๐ถ๐ป๐๐ผ ๐ฐ๐๐ฐ.๐ฒ๐ ๐ฒ โ ๐ ๐๐ ๐๐ข๐๐
The task chain executed msbuild.exe to run an opaque project. That project injected code into csc.exe, which then opened command-and-control over a single IP. The loader unpacked a memory-resident payload likely a RAT with minimal disk dust. Because the path uses signed binaries and short bursts of activity, basic signature-based detections rarely fire. Therefore, defenders should track process ancestry and child process behavior, not just filenames.
๐ฆ๐ถ๐ฑ๐ฒ๐น๐ผ๐ฎ๐ฑ๐ถ๐ป๐ด ๐บ๐ผ๐๐ฒ๐
On selected hosts, the crew executed vetysafe.exe (a legitimate VIPRE component) to sideload a malicious sbamres.dll. Similar DLL names surfaced in operations attributed to Salt Typhoon / Earth Estries, Earth Longzhi (an APT41 sub-cluster), and Space Pirates. The overlap signals shared tooling rather than a single actor. Even so, the tradecraft stays consistent: exploit an older edge, translate that foothold into scheduled execution, and then persist with signed-binary abuse.
๐ช๐ถ๐ป๐ฑ๐ผ๐ ๐๐ผ ๐๐: ๐ฐ๐ฟ๐ฒ๐ฑ๐ฒ๐ป๐๐ถ๐ฎ๐น ๐๐ต๐ฒ๐ณ๐ ๐ฎ๐ป๐ฑ ๐๐๐ฆ๐๐ป๐ฐ
During the dwell period, the operators probed paths toward domain controllers. Their tooling set included DCSync-style replication abuse and an Imjpuexc utility seen in prior campaigns. As a result, once they hold the right group privileges, they can replicate secrets and expand laterally without dropping noisy password-dump tools. Because DCSync traffic looks legitimate, you must alert when non-DC endpoints request replication data.
๐๐ฒ๐ด๐ฎ๐ฐ๐ ๐ฏ๐๐ด๐, ๐ป๐ฒ๐ ๐ฐ๐ต๐ฎ๐ป๐ป๐ฒ๐น๐: ๐๐ฟ๐ผ๐บ ๐๐ผ๐ด๐ฐ๐ท ๐๐ผ ๐บ๐ถ๐๐ฐ๐ผ๐ป๐ณ๐ถ๐ด๐๐ฟ๐ฒ๐ฑ ๐๐๐ฆ
Beyond classic CVEs, a Chinese-speaking cluster REF3927 now harvests publicly exposed ASP.NET machine keys to compromise misconfigured IIS servers. The crew deploys an SEO-cloaking backdoor โTOLLBOOTHโ with web shell features. They can hide content from crawlers, run commands, and drop Godzilla shells or GotoHTTP remote access. Because this route requires no new 0-days just leaked machine keys and poor hygiene the campaign scales fast across hosting providers.
๐ช๐ต๐ ๐๐ต๐ถ๐ ๐๐ผ๐ฟ๐ธ๐ ๐ฎ๐ด๐ฎ๐ถ๐ป๐๐ ๐ฒ๐ป๐๐ฒ๐ฟ๐ฝ๐ฟ๐ถ๐๐ฒ๐
Legacy CVEs linger on perimeter systems. Admins leave msbuild.exe and other LOLBAS unrestricted. Certificate trust and scheduled tasks look harmless in isolation. Meanwhile, SEO cloaking on IIS muddies external signals and buys time. Consequently, the attackers chain quiet steps into durable access while teams rotate through patch cycles that never reach the oldest boxes.
๐๐ฒ๐๐ฒ๐ฐ๐๐ถ๐ผ๐ป ๐ฎ๐ป๐ฑ ๐ต๐๐ป๐๐ถ๐ป๐ด (๐ฝ๐ฟ๐ผ๐๐ฒ, ๐ป๐ผ ๐ฏ๐๐น๐ธ๐ ๐น๐ถ๐๐๐)
Track msbuild.exe launched by Task Scheduler and watch for csc.exe as a surprise child with network handles. Hunt for scheduled tasks that run hourly under SYSTEM. Correlate process lineage from network-facing services to the build chain. On the domain side, alert when non-DC hosts request replication privileges or call Directory Replication Service APIs. On the web tier, test IIS for reused machine keys and look for SEO-cloaking modules that alter content for crawlers. To validate an incident, replay the timeline from exploit โ task creation โ build invocation โ code injection โ beacon.
๐ ๐ถ๐๐ถ๐ด๐ฎ๐๐ถ๐ผ๐ป ๐ฎ๐ป๐ฑ ๐ต๐ฎ๐ฟ๐ฑ๐ฒ๐ป๐ถ๐ป๐ด
Patch the edge first: Log4j, Struts, Confluence, and GoAhead instances exposed to the internet. Rotate any ASP.NET machine keys that may have leaked; regenerate and store them securely. Enforce application control so msbuild.exe cannot run arbitrary projects on servers. Lock down scheduled task creation to admins with logging and approval. On AD, restrict replication rights; alert on DCSync events from non-DCs. Finally, hunt for VIPRE sideloading artifacts and Godzilla/GotoHTTP traces on any IIS host that shows content cloaking.
๐ข๐ฝ๐ฒ๐ฟ๐ฎ๐๐ถ๐ผ๐ป๐ฎ๐น ๐ถ๐บ๐ฝ๐ฎ๐ฐ๐ ๐ฎ๐ป๐ฑ ๐ป๐ฒ๐ ๐ ๐๐๐ฒ๐ฝ๐
Inventory any server that recently exposed the listed CVEs. Review build tools on servers; msbuild.exe rarely belongs on front-end web nodes. Pull a 60-day task history and diff new or modified jobs. Rebind machine keys where IIS hosts share them across tenants. After eviction, run a credential hygiene sprint to rotate high-value secrets and close the post-exploitation path back to DCs.
This campaign reuses old doors and hides in normal tools. Because the flow looks routine scheduled tasks, msbuild, compiler processes teams miss the pivot. Close the legacy CVEs, restrict build tools on servers, watch for DCSync from non-DCs, and test IIS for machine-key misuse. If you reduce trust in โitโs signed, itโs safe,โ you cut this operationโs oxygen.
FAQs
Q: Why do attackers still win with Log4j and Struts today?
A: Many internet-facing systems never received complete fixes. Attackers combine wide scanning with selective follow-up, then trade noise for stealth once inside.
Q: How does IIS machine-key abuse lead to backdoors?
A: If an attacker learns or guesses an appโs machineKey, they can authenticate as the server and load modules like TOLLBOOTH without tripping standard checks.
Q: Whatโs the fastest control to block this chain?
A: Remove msbuild.exe from servers and deny its execution via application control. In parallel, rotate machine keys and enforce strict task-creation policies.
Q: How do we confirm DCSync misuse?
A: Alert when non-DC hosts initiate replication. Then review logs for DRS API calls tied to accounts with replication privileges and correlate with task or service creation.
Q: What should we monitor on IIS after cleanup?
A: Watch for SEO-cloaking behavior, unexpected module loads, Godzilla shell traces, and outbound connections from w3wp.exe to unfamiliar hosts.
