A cyberattack campaign is actively targeting Japan’s technology, telecommunications, entertainment, education, and e-commerce industries. The attackers are exploiting CVE-2024-4577, a critical remote code execution (RCE) vulnerability in PHP-CGI on Windows, to gain initial access to victim systems.
CVE-2024-4577 Exploited for Initial Access
According to a report by Cisco Talos, the malicious activity began in January 2025. Threat actors are leveraging this flaw to infiltrate systems and execute PowerShell scripts that deploy Cobalt Strike reverse HTTP shellcode, ensuring persistent remote access to compromised endpoints.
Once inside, attackers carry out reconnaissance, escalate privileges, and move laterally across networks. Tools such as JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt aid in these actions. To maintain persistence, they modify Windows Registry settings, create scheduled tasks, and deploy custom services using Cobalt Strike plugins, specifically the “TaoWu” toolset.
Stealth Tactics and Credential Theft
To evade detection, attackers delete event logs using wevtutil commands, erasing traces of their activity from Windows security, system, and application logs. They then execute Mimikatz commands to extract passwords and NTLM hashes from memory, enabling further exploitation of affected systems.
Analysis of the attackers’ command-and-control (C2) servers uncovered that the directory listings were left open, exposing the full range of tools and malicious frameworks hosted on Alibaba Cloud. Among these tools, cybersecurity researchers identified:
Browser Exploitation Framework (BeEF): A publicly available penetration testing tool that enables attackers to execute commands within the browser.
Viper C2: A modular command-and-control framework designed for remote command execution and the deployment of Meterpreter reverse shell payloads.
Blue-Lotus: A JavaScript-based web shell and cross-site scripting (XSS) attack framework. This tool facilitates XSS attacks, screenshot capture, browser cookie theft, reverse shell execution, and unauthorized account creation in content management systems (CMS).
Potential Future Threats
Cisco Talos researchers believe the attackers’ intent extends beyond credential theft. Their ability to establish long-term persistence, gain SYSTEM-level privileges, and utilize advanced adversarial frameworks suggests the likelihood of future, more sophisticated attacks.
Furthermore, given the high-value targets involved, the attack campaign could have broader implications, including espionage, data theft, and financial fraud. The use of publicly available penetration testing tools indicates that threat actors may be leveraging a combination of open-source and proprietary malware to maximize their impact.
The fact that the attackers exposed their directory listings also suggests potential operational security (OpSec) lapses, which could help cybersecurity researchers track and dismantle the infrastructure supporting these attacks. However, despite this error, the effectiveness of the tactics employed indicates a highly skilled and resourceful adversary.
Protecting Against CVE-2024-4577
Given the severity of this vulnerability, organizations—especially in Japan’s tech, telecom, and e-commerce sectors—should take immediate action to secure their networks. Recommended steps include:
Patch and Update Systems: Apply the latest security updates for PHP-CGI on Windows to mitigate the RCE vulnerability.
Monitor Network Activity: Use endpoint detection and response (EDR) solutions to detect anomalous behavior.
Enhance Access Controls: Implement multi-factor authentication (MFA) and least-privilege access policies to limit potential damage from compromised accounts.
Log and Audit Security Events: Regularly review event logs for unusual deletions or unauthorized changes.
Conduct Security Awareness Training: Educate employees about phishing, social engineering, and other initial attack vectors.
Deploy Application Whitelisting: Restrict the execution of unknown scripts and binaries to prevent unauthorized access.
Implement Network Segmentation: Divide networks into isolated segments to limit an attacker’s ability to move laterally.
Use Threat Intelligence Feeds: Stay updated with the latest cybersecurity reports to identify indicators of compromise (IOCs) related to this campaign.
Conclusion
The exploitation of CVE-2024-4577 highlights the increasing sophistication of cyber threats targeting critical industries. With attackers continuously refining their tactics, organizations must remain vigilant, implement robust cybersecurity measures, and proactively hunt for potential threats within their networks.
Given the use of Cobalt Strike and other well-known adversarial tools, security teams should conduct thorough threat-hunting exercises to detect signs of compromise. Additionally, collaborating with industry peers and government cybersecurity agencies can help mitigate the broader risks posed by such sophisticated attack campaigns.
As investigations continue, businesses should remain proactive in applying cybersecurity best practices to mitigate the impact of such advanced threats. The fact that threat actors left traces of their infrastructure exposed online provides a rare opportunity for defenders to analyze and disrupt their operations. However, organizations cannot rely on adversaries’ mistakes alone—proactive defense is essential in this evolving cyber landscape.
By addressing vulnerabilities, strengthening monitoring capabilities, and fostering a security-conscious culture, organizations can better defend against evolving threats and minimize the risks associated with such cyberattacks.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : Kibana Security Flaw (CVE-2025-25012), Elastic Issues Critical Fix