Metasploit
Metasploit is an open-source exploitation and penetration-testing framework created by HD Moore in 2003 and widely used by both defenders and attackers. The provided content consistently describes it as a dual-use offensive framework rather than a single bespoke malware family, but it is repeatedly observed in real intrusions as an exploitation, payload delivery, command-and-control, persistence, and post-exploitation platform. Associated payloads and components mentioned in the content include Meterpreter, reverse HTTP/reverse HTTPS shells, msfvenom-generated payloads, Windows stagers, and Metasploit modules for public-facing application exploitation.
Across the cited reporting, Metasploit was used or observed in multiple intrusion contexts. In one set of Asia-focused government intrusions involving DLL sideloading, shellcode consistent with a Metasploit or Cobalt Strike reverse HTTP shell connected to 91.245.253[.]52:6060/rKVI. Splunk documented Metasploit exploitation of Atlassian Confluence on Windows via malicious Java plugin execution that typically leads to Meterpreter download and full control of the Confluence server. A DFIR case involving Apache ActiveMQ CVE-2023-46604 described a Metasploit stager downloaded via CertUtil, C2 to 166.62.100[.]52, subsequent LSASS dumping, and later remote service creation to run Metasploit payloads across domain controllers and servers before LockBit deployment. A joint CISA/FBI/CNMF advisory on an aeronautical-sector compromise reported a Metasploit Meterpreter variant named bitmap.exe communicating with 179.60.147[.]4, and also noted Metasploit installed as a Windows service on a domain controller. Breakglass Intelligence reported a Metasploit payload ab.exe (MD5 cafc9d45da602fdf794421fc90375024) communicating with 45.76.180[.]12, with the same server assessed to host a concealed Meterpreter reverse_https listener on port 443 behind Apache.
The content also ties Metasploit to exploitation of known vulnerabilities through public modules, including BlueKeep (CVE-2019-0708), where a public Metasploit exploit raised concern because the flaw was wormable across older Windows systems, and newer modules for vulnerabilities such as Ollama CVE-2024-37032, BeyondTrust CVE-2026-1731, Grandstream GXP1600 CVE-2026-2329, and several CVEs discussed in EPSS/KEV analysis, including Citrix NetScaler and Atlassian Confluence issues. Infection vectors and delivery mechanisms mentioned in the content include exploitation of public-facing applications, phishing documents with macros, malicious Java plugin execution, SSH tunneling to run Metasploit, and staged payload download via LOLBINs such as CertUtil.
Threat actors and malware operations associated with Metasploit in the content include Flax Typhoon, which uses Metasploit alongside China Chopper, Juicy Potato, Mimikatz, and SoftEther VPN in espionage operations against Taiwanese government, education, critical manufacturing, and IT organizations; LockBit 3.0 affiliates, which use Metasploit for reconnaissance, remote access, credential dumping, privilege escalation, and exfiltration; and Sandworm-related victim environments where preexisting Metasploit and other RAT/C2 activity was observed before Sandworm activity. The content also notes broader criminal and intrusion-set use, including macro-laden phishing campaigns, ransomware preparation, and use in simulated attacks.
Capabilities directly supported by the content include exploit delivery, reverse shell and Meterpreter session establishment, command-and-control over HTTP/HTTPS, post-exploitation on Windows, persistence via newly added modules such as Windows Registry Active Setup and WSL startup-folder persistence, evasion via Linux RC4 Packer for ARM64, and credential theft or follow-on tooling integration. The content further notes that Metasploit’s Windows stagers use PEB walking with ROR13 hashing for API resolution.
High-confidence indicators explicitly mentioned in the content include 91.245.253[.]52:6060/rKVI, 166.62.100[.]52, 179.60.147[.]4, 45.76.180[.]12, cdn.kkxx888666[.]com, payload names ab.exe and bitmap.exe, and MD5 cafc9d45da602fdf794421fc90375024 for ab.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
23 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Check Point researchers said the tool is being discussed on underground forums, where hackers are exchanging instructions on how to deploy it against three Citrix NetScaler flaws disclosed last week: CVE-2025-7775, CVE-2025-7776 and CVE-2025-8424. The most critical of these, CVE-2025-7775, allows unauthenticated remote code execution.
Rapid7 Labs discovered a new authentication bypass vulnerability affecting Cisco Catalyst SD-WAN Controller (formerly known as vSmart), CVE-2026-20182. This new authentication bypass vulnerability affects the “vdaemon” service over DTLS (UDP port 12346)... a remote unauthenticated attacker can leverage CVE-2026-20182 to become an authenticated peer of the target appliance, and perform privileged operations, such as injecting an attacker controlled public key into the vmanage-admin user account’s authorized SSH keys file.
On Friday, that dreaded day arrived when the Metasploit framework—an open source tool used by white hat and black hat hackers alike—released just such an exploit into the wild.
На момент публикации CVE-2026-31431 не зарегистрирован в NVD... Copy Fail - local privilege escalation... Metasploit-модуль опубликован в день раскрытия... PoC для Kubernetes с escape на уровень ноды опубликован на GitHub... CISA добавляет в KEV.
This activity can be associated with a malicious plugin installed by metasploit for remote code execution... References ... CVE-2024-27198/modules/exploits/multi/http/jetbrains_teamcity_rce_cve_2024_27198.rb ... critical JetBrains TeamCity on-premises ... CVE-2024-27198 and CVE-2024-27199 JetBrains TeamCity multiple authentication bypass vulnerabilities fixed.
The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
Additional ClamAV signatures include "PUA.Unix.File.Metasploit" entries related to ongoing exploitation campaigns.
Analysts confirmed that nation-state advanced persistent threat (APT) actors exploited CVE-2022-47966 to gain unauthorized access to a public-facing application (Zoho ManageEngine ServiceDesk Plus), establish persistence, and move laterally through the network. This vulnerability allows for remote code execution on the ManageEngine application.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
"The latest Metasploit update, released on February 27, 2026, brings significant firepower... The release introduces seven new modules..."
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
The content repeatedly references public exploit availability and notes that “A Metasploit module was made available…” for multiple CVEs; it also states EPSS uses “MetaSploit” as a data source and that removal/republishing of a Metasploit module materially changed EPSS scores.
A threat actor exploited CVE-2023-46604 on an internet-facing Apache ActiveMQ server... The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring bean configuration XML file.
Groups observed using it
18 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Tools: SpicyOmelette, Cobalt Strike, Meterpreter, Mimikatz, CobtInt, ATMSpitter, Carbanak, Buhtrap, Cyst, Metasploit.
Four more victims had ongoing command and control activity using commercial frameworks such as Cobalt Strike, Metasploit and other Remote Access Trojans (RATs).
The phishing emails contained a link to the domain docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com where John Hammond’s reCAPTCHA Phish POC was used to deliver Metasploit payloads with the C2 IP address 203.161.50[.]145
The phishing emails contained a link to the domain docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com where John Hammond’s reCAPTCHA Phish POC was used to deliver Metasploit payloads with the C2 IP address 203.161.50[.]145
The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
"...we found a running Metasploit with cdn.kkxx888666[.]com as its C&C server."
The group uses macro-laden phishing documents, publicly available tools such as Metasploit and LaZagne and custom tools including PowerStats and Forelord.
TransferLoader malware, which later launches the Morpheus and Metasploit ransomware strains.
...provided a PowerShell command to create an SSH tunnel and run Metasploit.
"Another two applications were built from JavaPayload for Metasploit that will load extra code from the remote server configured in the sample."
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.
"...using various tools, such as Metasploit, Cobalt Strike, Carbanak malware..."
...testing customized versions of multiple open-source frameworks, including Metasploit, Cobalt Strike, PowerSploit...
The group uses the China Chopper web shell, Metasploit, Juicy Potato privilege escalation tool, Mimikatz, and SoftEther VPN client.
ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel.
"Observed payloads have included BEACON, METASPLOIT stager, or BUGHATCH."
...the following tools could be used by an actor to obtain the same information: ... Metasploit
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueThe content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.
Initial Access
2 techniquesa remote unauthenticated attacker can bypass authentication by connecting to the vSmart DTLS port with any self-signed client certificate and claiming to be a vHub (type 2) in the CHALLENGE_ACK message. No valid credentials, no CA-signed certificate, and no knowledge of the SD-WAN deployment are required.
Execution
8 techniquesWindows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.
References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.
For instance, a Metasploit module can force the device to run remote scripts.
From the command prompt the “ schtasks ” executable can be used to create a schedule task that will download and execute a PowerShell based payload in every Windows logon as a SYSTEM.
As we can see above, the attacker achieves unauthenticated RCE with root privileges on the device. This is demonstrated by the attacker executing a reverse shell payload and running several arbitrary OS shell commands.
According to the report, “This helper function ParseICECandidate contains a stack based buffer overflow.” ... an unauthenticated attacker can trigger a classic stack crash by sending an overly long request.
Persistence
6 techniquesWindows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.
References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.
We identified a particularly impactful post-authentication primitive: persistent SSH key injection via MSG_VMANAGE_TO_PEER (Message type 14).
Privilege Escalation
7 techniquesWindows operating systems provide a utility (schtasks.exe) which enables system administrators to execute a program or a script at a specific given date and time. This kind of behavior has been heavily abused by threat actors and red teams as a persistence mechanism.
References https://attack.mitre.org/techniques/T1053/ ... The persistence technique of scheduled tasks can be implemented both manually and automatically.
Conversation Add Windows Defender BlueHammer LPE exploit ( CVE-2026-33825 )
We identified a particularly impactful post-authentication primitive: persistent SSH key injection via MSG_VMANAGE_TO_PEER (Message type 14).
Pulls out systemd from the init persistence module and adds new persistence mixin.
In Windows environments when an application or a service is starting it looks for a number of DLL’s in order to function properly... then it is possible to escalate privileges by forcing the application to load and execute a malicious DLL file.
Stealth
4 techniquesOnce you have the base address of kernel32.dll, you walk its export table and find WinExec using a ROR13 hash comparison | The challenge on Windows is that you can’t call WinExec directly in position-independent shellcode. You don't know where kernel32.dll is loaded at runtime (ASLR). Instead, you find it dynamically by walking the Process Environment Block | The Windows synthesiser uses a technique called PEB walking with ROR13 hashing — the same approach used by Metasploit’s Windows stagers.
Credential Access
5 techniquesssh_login: Convert to run_scanner ... ssh_login: Use SSH mixin ... ssh_login: Add store_ssh_key_loot() ... ssh_login: Support BLANK_PASSWORDS, USER_AS_PASS & ANONYMOUS_LOGIN
ssh_login: Support BLANK_PASSWORDS, USER_AS_PASS & ANONYMOUS_LOGIN
ssh_creds: Add PARSE_KNOWN_HOSTS - report_host() ... ssh_creds: Add CRACK_KNOWN_HOSTS - report_host ... ssh_creds: Add report_note(ssh.privatekey)
The majority of the applications used Transport Layer Security (TLS). However, none of the apps verified the certificate used by the server, which meant that Man-in-the-Middle attacks were still possible using an intercepting proxy tool.
ssh_creds: Add ATT&CK ref
Lateral Movement
2 techniquesGOLD KINGSWOOD is a cybercriminal group that uses tactics more commonly associated with government-sponsored threat actors to infiltrate the internal networks of financial institutions around the globe.
For instance, a Metasploit module can force the device to run remote scripts. The attacker crafts a special SIP INVITE message stuffed with padding characters.
Collection
2 techniquesThe majority of the applications used Transport Layer Security (TLS). However, none of the apps verified the certificate used by the server, which meant that Man-in-the-Middle attacks were still possible using an intercepting proxy tool.
At this point the attacker can begin to execute arbitrary NETCONF commands, for example the following “get-config” command can be run by the attacker in the NETCONF session.
Command and Control
2 techniquesAdd support for HTTP/S PHP and TLV config | Add support for HTTP/S PHP and TLV config ... Fix custom_headers emission, add C2 UUID for placement ... Wire MC2 into PHP payloads ... Wire MC2 into mettle
This script then executes within the context of the Android application and can potentially instruct the device to download a malicious payload from the attacker’s server, providing access to the user’s phone with the privileges of the application.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
93 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Exploitation and post-exploitation framework observed in command-and-control activity within environments later leveraged by Sandworm.
Referenced as using Windows stagers that resolve APIs dynamically via PEB walking and ROR13 hashing in position-independent shellcode.
Metasploit is described as being used to exploit Atlassian Confluence via a malicious Java plugin execution chain, leading to follow-on payload delivery.
The content describes a Metasploit-generated payload, likely produced with msfvenom, used to deploy a reverse_https session that calls back to attacker-controlled infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.