216.73.217.80

Defence Impairment Olympics

· Published 30/06/2026 04:01

Export JSON

Essential information

Published
30/06/2026 04:01
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
coldfusion exploitation credential dumping cve-2023-26360 cve-2023-29298 cve-2023-29300 defence evasion defence impairment iis server mimikatz steganography timestomping wdigest webshell
Related entities
3 vulnerabilities (cve), 6 indicators, 1 malware

Description

A sophisticated attack sequence was detected beginning June 7 involving a steganographically hidden on a vulnerable Adobe ColdFusion server. The threat actor executed extensive enumeration commands before deploying approximately a dozen defence impairment techniques. These included disabling IIS logging, tampering with Microsoft Defender, file metadata, killing Sysmon and Filebeat processes, uninstalling ModSecurity WAF, downgrading WDigest credential protection, and using WMI Event Consumer to clear Windows Event Logs. A batch script named i.bat revealed the complete attack chain, culminating in . The attack persisted through multiple remediation attempts when the vulnerable server was prematurely reconnected before complete patching was finished, allowing the threat actor to maintain access and continue operations over several days.

External references