CyberSum logo
Back

Sophisticated Post-Exploitation Campaign Uncovered by TAMUS

Cyber Security News by CyberSum.net
3 sources
In September 2025, TAMUS Cybersecurity and Elastic Security Labs discovered a global campaign by a threat actor using a malicious IIS module named TOLLBOOTH. The attackers exploited misconfigured IIS web servers, leveraging publicly published ASP.NET machine keys. The campaign, designated REF3927, impacted hundreds of servers across multiple industries. The initial compromise involved deserialization attacks against the ASP.NET ViewState mechanism. Post-compromise activities included the deployment of a Godzilla-forked webshell framework, GotoHTTP RMM tool, and a kernel-mode rootkit. Remediation requires restoring affected servers and generating new, secure ASP.NET machine keys.

Also Read

BRONZE BUTLER Exploits Zero-Day in LANSCOPE Endpoint Manager

In mid-2025, Secureworks CTU researchers uncovered a sophisticated cyber campaign by the BRONZE BUTLER group, exploiting a zero-day vulnerability in Motex LANSCOPE Endpoint Manager. This campaign, which has been ongoing for over a decade, targets specific organizations and government entities. The vulnerability, CVE-2025-61932, allows remote attackers to execute arbitrary commands with SYSTEM privileges. The group used advanced malware like Gokcpdoor and Havoc, alongside legitimate tools for reconnaissance and data exfiltration. International cybersecurity authorities quickly responded, highlighting the severity of the threat.

By Cyber Security News by CyberSum.net