Full Report
Written by: Takahiro Sugiyama, Peter Revelant, Mathew Potaczek Introduction In late 2025, Mandiant responded to a security incident involving a compromised web server running KnowledgeDeliver. KnowledgeDeliver is a Learning Management System (LMS) developed by Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability that allowed unauthenticated Remote Code Execution (RCE). An unknown threat actor leveraged this access to inject malicious code into the LMS platform, with the goal of infecting users visiting the site. This vulnerability stems from the use of identical pre-shared ASP.NET machine keys across multiple customer deployments. The vulnerability was initially exploited as a zero-day, now tracked as CVE-2026-5426. The Vulnerability KnowledgeDeliver installations deployed before Feb. 24, 2026 relied on a standardized web.config file provided by the vendor. This configuration file contained hardcoded machineKey values used by the ASP.NET framework to encrypt and sign data, including ViewState payloads. Because these keys were identical across independent customer environments, a threat actor who obtained the keys from one deployment could compromise any other internet-facing KnowledgeDeliver instance. The following is an example of the relevant configuration line found in the web.config file: " validationKey="" /> The ASP.NET ViewState persists page state across postbacks. When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it. This technique follows the pattern of the ViewState Deserialization Zero-Day Vulnerability affecting Sitecore (previously reported by Mandiant), and Code injection attacks using publicly disclosed ASP.NET machine keys reported by Microsoft. This highlights how it is critical to keep the machine key unique and secure. Post-Exploitation Activity Once access was established, the threat actors focused on maintaining their presence and expanding the impact of the compromise. BLUEBEAM Web Shell Deployment The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla). The use of BLUEBEAM is consistent with the Microsoft reporting. This malware operates entirely in memory within the IIS worker process (w3wp.exe), making it difficult to detect through traditional file-based scanning. It allows threat actors to execute further commands and payloads by sending encrypted data via HTTP POST request bodies. File Tampering The threat actor was observed executing commands to escalate their control over the web server's file system: Permission Modification: The threat actor used icacls to grant "Everyone" full access to the web application directory. JavaScript Tampering: The threat actor modified an application JavaScript file, adding code to perform the following: Display a fake security alert, prompting users to install a "security authentication plugin". Silently load a remote malicious script hosted on a threat actor-controlled domain. Cobalt Strike Infection The remote script convinced users to download a fake installer, which led to workstations being infected with a Cobalt Strike BEACON backdoor. The payload was encrypted using a key that used the name of the compromised organization, which indicated that the threat actor prepared this payload specifically for the targeted organization. How to Hunt for This Activity Organizations should monitor for the following indicators to identify potential ViewState exploitation and post-exploitation activity. 1. Application Event Logs (Event ID 1316) Monitor the Windows Application log for Event ID 1316 from the source ASP.NET 4.0.30319.0 (or similar). Failed Attempt (Integrity Failure): Event code: 4009-++-Viewstate verification failed. Reason: The viewstate supplied failed integrity check. May indicate an attack attempt with an incorrect key. Successful Execution (Invalid ViewState): Event code: 4009-++-Viewstate verification failed. Reason: Viewstate was invalid. Confirms integrity checks were passed. Deserialization of the payload was attempted and may have succeeded. The payload may or may not have been executed. Mandiant decrypted payload strings recorded in the event log messages with the server’s machine keys and recovered a payload related to a BLUEBEAM web shell. 2. Suspicious Process Activity Monitor for unusual child processes spawned by w3wp.exe. Commands observed include: cmd.exe /c ... whoami powershell.exe 3. File Integrity Monitoring Monitor for unauthorized changes to .js, .aspx, or .config files within the web root. Specifically, look for the addition of remote script loaders or unusual logic in commonly used libraries. 4. Anomalous User-Agent Strings Mandiant identified User-Agent strings consisting of two distinct identifiers concatenated together, which were consistent with ones reported in ViewState Deserialization Zero-Day vulnerability. Monitor for web request logs for such anomalous User-Agent strings. The following are examples of identified User-Agent strings: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62 Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Remediation and Mitigation Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance. This is the only way to invalidate the shared secret. Restrict Access: If possible, limit access to the LMS to known organizational IP address ranges. Investigation: Hunt for this activity, and conduct a thorough investigation if any signs of exploitation are identified. Outlook and Implications The exploitation of KnowledgeDeliver highlights the severe risks of using shared secrets in deployment templates. A single leaked key can compromise an entire ecosystem of installations. By implementing unique secrets and robust endpoint monitoring, organizations can defend against these deserialization attacks. Indicators of Compromise (IOCs) File Name Type SHA-256 LoadLibrary.dll BLUEBEAM 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2 Google Security Operations (SecOps) The following SecOps searches can be used to hunt for this activity. (metadata.log_type = "WINEVTLOG" or metadata.log_type = "WINEVTLOG_XML") metadata.product_event_type = "1316" additional.fields["Message"] = /Event code: 4009\b/ nocase (metadata.event_type = "PROCESS_LAUNCH" or metadata.event_type = "PROCESS_OPEN") AND principal.process.command_line = /w3wp.exe/ nocase AND target.process.command_line = /cmd.+ \/c |whoami|powershell/ nocase SecOps customers have access to the following rules and more under the Mandiant Hunting Rules, Mandiant Frontline Threats, Mandiant Intel Emerging Threats rule packs: ASP.NET ViewState Deserialization Attempt W3wp Launching Cmd With Recon Commands W3wp Launching Encoded Powershell W3wp Launching Icalcls Web Server Process Launching Whoami IIS ViewState Exploitation Success IIS ViewState Exploitation Followed by Web Root File Tampering Possible Windows Exchange Server Spawning Shell Acknowledgements Mandiant would like to extend our thanks to the Digital Knowledge team for their collaboration regarding this disclosure.
Analysis Summary
# Incident Report: Exploitation of KnowledgeDeliver via ViewState Deserialization
## Executive Summary
In late 2025, a critical zero-day vulnerability (CVE-2026-5426) in the KnowledgeDeliver LMS was exploited by an unknown threat actor using hardcoded ASP.NET machine keys. The attacker gained unauthenticated Remote Code Execution (RCE), deployed the BLUEBEAM in-memory web shell, and conducted a watering hole attack to infect end-users with Cobalt Strike BEACON. The incident highlights the systemic risk of shared cryptographic secrets in software deployment templates.
## Incident Details
- **Discovery Date:** Late 2025
- **Incident Date:** Ongoing through February 2026 (Patch released Feb 24, 2026)
- **Affected Organization:** Multiple (Specific entity in the report used as a targeted example)
- **Sector:** Education / Learning Management
- **Geography:** Japan (Primary user base of KnowledgeDeliver)
## Timeline of Events
### Initial Access
- **Date/Time:** Late 2025
- **Vector:** Exploitation of CVE-2026-5426
- **Details:** Attackers exploited a ViewState Deserialization vulnerability. Because the vendor provided a standardized `web.config` with identical `machineKey` values across all installations, the attacker could craft and send malicious `__VIEWSTATE` parameters to achieve RCE.
### Lateral Movement
- **Details:** While internal network movement is not detailed, the attacker moved "laterally" from the server's application layer to the underlying OS and then targeted the client-side user base (Workstation infection).
### Data Exfiltration/Impact
- **Details:** The primary impact was the compromise of the integrity of the LMS. Attackers tampered with JavaScript files to serve a fake "security authentication plugin," leading to the delivery of Cobalt Strike BEACON to users' workstations.
### Detection & Response
- **Discovery:** Identified by Mandiant during incident response services.
- **Response Actions:** Collaboration with vendor (Digital Knowledge) for disclosure; development of hunting queries for Windows Event Logs and process monitoring.
## Attack Methodology
- **Initial Access:** ViewState Deserialization (unauthenticated RCE).
- **Persistence:** Deployment of BLUEBEAM (Godzilla) in-memory web shell within the `w3wp.exe` process.
- **Privilege Escalation:** Modified file system permissions using `icacls` to grant "Everyone" full access to the web directory.
- **Defense Evasion:** Use of in-memory-only malware to bypass file-based scanning; encryption of Cobalt Strike payloads using organization-specific keys.
- **Discovery:** Execution of `whoami` and reconnaissance via `cmd.exe` spawned from the IIS worker process.
- **Impact:** Watering hole attack via modified JavaScript to infect site visitors.
## Impact Assessment
- **Financial:** Not disclosed; costs include incident response and remediation.
- **Data Breach:** Potential theft of user data via LMS access; focus was on workstation infection.
- **Operational:** Disruption of learning services; required rotation of cryptographic keys across all customer environments.
- **Reputational:** High impact for the vendor due to the use of hardcoded, shared secrets.
## Indicators of Compromise
- **Network:**
- Anomalous User-Agents (e.g., concatenated strings like `Mozilla/5.0... Safari/537.36 Mozilla/5.0...`).
- Requests to threat-actor-controlled domains for malicious scripts (URLs defanged in original report).
- **File:**
- `LoadLibrary.dll` (BLUEBEAM) - SHA-256: `7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2`
- Modified `.js` files in the web root containing remote script loaders.
- **Behavioral:**
- `w3wp.exe` spawning `cmd.exe`, `powershell.exe`, `whoami`, or `icacls`.
- Windows Application Log Event ID 1316 (Event code 4009) indicating ViewState failures or invalid states.
## Response Actions
- **Containment:** Advised organizations to restrict LMS access to known organizational IP ranges.
- **Eradication:** Rotation of the ASP.NET `machineKey` in the `web.config` file to invalidate the attacker's ability to craft payloads.
- **Recovery:** Restoration of original JavaScript files and removal of the BLUEBEAM web shell from memory (IIS reset).
## Lessons Learned
- **Cryptographic Hygiene:** Hardcoding "pre-shared" secrets in vendor-provided configuration templates creates a single point of failure for an entire customer base.
- **Monitoring Gaps:** In-memory web shells (BLUEBEAM) effectively evade traditional antivirus; EDR/Process monitoring is essential for detecting child processes of web servers.
## Recommendations
- **Rotate Secrets:** Immediately generate unique, cryptographically strong machine keys for every individual instance of KnowledgeDeliver.
- **File Integrity Monitoring (FIM):** Implement FIM on web root directories to detect unauthorized changes to static assets like JavaScript files.
- **Logging:** Ensure Windows Event Logging is configured to capture ASP.NET lifecycle events to identify deserialization attempts.