Full Report
Attackers aren’t waiting for patches anymore — they are breaking in before defenses are ready. Trusted security tools are being hijacked to deliver malware. Even after a breach is detected and patched, some attackers stay hidden. This week’s events show a hard truth: it’s not enough to react after an attack. You have to assume that any system you trust today could fail tomorrow. In a world
Analysis Summary
# Incident Report: Exploitation of Windows 0-Day and Security Tool Vulnerabilities
## Executive Summary
This week's security landscape featured multiple critical exploits, including the active exploitation of a Windows Common Log File System (CLFS) 0-day (CVE-2025-29824) used to deploy ransomware payloads via the PipeMagic trojan. Concurrently, threat actors utilized a vulnerability in ESET software for malware delivery, and hackers maintained persistent access to patched FortiGate VPNs using symlinks. A key lesson is the failure of relying solely on deployed security tools and patches, necessitating proactive threat hunting for stealth persistence mechanisms like reactivated Guest accounts.
## Incident Details
- Discovery Date: Ongoing/Reported throughout the week (Specific discovery dates vary per incident)
- Incident Date: Ongoing/Recent activity
- Affected Organization: Small number of targets (Windows 0-day); Unknown organizational scope (ESET, Fortinet)
- Sector: Unspecified (Ransomware targets); Likely any sector utilizing the affected vendors' products
- Geography: Unspecified
## Timeline of Events
### Initial Access
- Date/Time: Ongoing (Pre-patch time frame for 0-day)
- Vector: Windows CLFS 0-day (CVE-2025-29824); ESET DLL Search Order Hijacking (CVE-2024-11859); Exploited FortiGate VPNs (prior to patching, followed by symlink maintenance).
- Details:
* **Windows 0-Day:** Delivered via the PipeMagic trojan to achieve initial compromise leading to privilege escalation.
* **ESET Flaw:** China-aligned APT ToddyCat exploited the DLL search order vulnerability to silently execute the TCESB payload.
### Lateral Movement & Post-Compromise
- **Windows 0-Day:** After gaining SYSTEM privileges, actors conducted credential harvesting and dropped a ransomware payload (linked to RansomEXX).
- **ESET TCESB:** Upon execution, the malware read the running kernel version, disabled notification routines, installed a vulnerable driver for evasion, and launched an unspecified secondary payload.
- **FortiGate Persistence:** Attackers maintained read-only access by creating a symbolic link connecting the user file system and the root file system in an SSL-VPN language file folder, bypassing patch mitigation for the initial vector.
### Data Exfiltration/Impact
- **Windows 0-Day:** Ransomware encryption occurred, with the ransom note pointing to a TOR domain associated with RansomEXX. Specific data exfiltration details were not provided, but credential harvesting preceded payload drop.
- **Gamaredon (Related Activity):** Utilized removable drives to deliver GammaSteel, an information stealer configured to exfiltrate files from Desktop and Documents folders based on an allowlist by extension.
### Detection & Response
- **Windows 0-Day:** Detected and reported by Microsoft, who subsequently addressed the vulnerability (CVE-2025-29824) in April 2025 Patch Tuesday.
- **ESET Flaw:** Addressed in January following responsible disclosure (CVE-2024-11859).
- **FortiGate:** Fortinet revealed the symlink persistence method and released patches to eliminate this specific behavior.
- **Guest Account Persistence:** Security teams are advised to monitor Event ID 4722 (disabled account reactivation) and native tool usage ($\text{net.exe}$, $\text{wmic}$, PowerShell) to detect hidden persistence mechanisms.
## Attack Methodology
| Category | Method(s) Used |
| :--- | :--- |
| **Initial Access** | Windows CLFS 0-day (PipeMagic trojan), ESET DLL Search Order Hijacking (CVE-2024-11859) |
| **Persistence** | Reactivating disabled Windows Guest accounts; Creating symlinks post-patch on FortiGate devices. |
| **Privilege Escalation**| CVE-2025-29824 exploitation to achieve SYSTEM privileges. |
| **Defense Evasion** | TCESB malware installs a vulnerable driver; Reactivating the Guest account to blend in. |
| **Credential Access** | Credential harvesting observed post-exploitation in the ransomware campaign. |
| **Discovery** | Unknown, but GammaSteel includes reconnaissance capabilities after infection via removable media. |
| **Lateral Movement** | Implied by credential harvesting and SYSTEM access; Specific path of movement not detailed. |
| **Collection** | GammaSteel exfiltrates files from Desktop/Documents based on an extension allowlist. |
| **Exfiltration** | TOR domain noted in RansomEXX ransom infrastructure. |
| **Impact** | Ransomware deployment (encryption); Information theft (GammaSteel). |
## Impact Assessment
- **Financial:** Unknown, but associated with ransomware activities.
- **Data Breach:** Credential data harvested; Files exfiltrated by GammaSteel.
- **Operational:** Potential for widespread disruption due to ransomware deployment.
- **Reputational:** Impacts trust in security vendors (ESET, Fortinet) when vulnerabilities are targeted post-disclosure or persistence is maintained post-patch.
## Indicators of Compromise
- **Network indicators:** TOR domains associated with the identified RansomEXX family infrastructure (Defanged: $\text{TOR.DOMAIN.EXAMPLE}$).
- **File indicators:** PipeMagic trojan files, TCESB malware, GammaSteel malware components.
- **Behavioral indicators:** Event ID 4722 (Disabled account successfully reactivated); Use of native tools ($\text{net.exe}, \text{wmic}, \text{PowerShell}$) to modify accounts; Unauthorized remote access via reactivated Guest account on RDP.
## Response Actions
- **Containment:** Immediately address patch deployment for CVE-2025-29824 and ensure ESET recommendations are implemented. For FortiGate, remove any unauthorized symlinks created in language file directories.
- **Eradication:** If the Guest account is activated, assume breach, investigate for hidden tools, and verify all privileged group memberships are accurate. For confirmed malware infections, full system remediation is required.
- **Recovery:** Restore encrypted systems (if applicable); Reset all harvested credentials; Conduct comprehensive audits post-patch deployment.
## Lessons Learned
- **Patch Timeliness is Insufficient:** Attackers are successfully exploiting vulnerabilities before widespread patching occurs (e.g., Windows 0-day exploitation).
- **Security Tool Trust is Relative:** Security software (ESET) itself can become an attack vector via configuration flaws (DLL hijacking).
- **Hidden Persistence:** Attackers employ stealthy methods post-patching (e.g., using symlinks on FortiGate or reactivating default accounts like Guest) to maintain long-term access.
## Recommendations
- Implement a robust vulnerability management process that prioritizes 0-day and actively exploited vulnerabilities for immediate remediation, independent of vendor patch cycles.
- Conduct regular threat hunting specifically targeting the use of native Windows binaries ($\text{net.exe}$, $\text{wmic}$) for configuration changes, and proactively monitor Event ID 4722 to detect unauthorized account activation (especially the Guest account).
- Re-verify configurations on perimeter devices (like VPN gateways) after applying patches to look for secondary persistence mechanisms established before the patch, such as file system manipulation (symlinks).