WeepSteel

WeepSteel is a reconnaissance-focused backdoor/spying tool observed in active exploitation of Sitecore ASP.NET ViewState deserialization vulnerability CVE-2025-53690. In reported intrusions, attackers exploited internet-facing Sitecore instances that used default, sample, or otherwise exposed ASP.NET machineKey values to forge malicious ViewState payloads, achieve remote code execution, and deploy WeepSteel. The malware has been associated with a dropped .NET assembly named Information.dll and is described as collecting host, disk, network adapter, and process information, returning results disguised as a benign __VIEWSTATE value. Supporting reporting describes it as enabling persistence, collecting sensitive system and network data, and staging additional tools for remote access and lateral movement. Campaigns deploying WeepSteel also used tools including DWAgent for persistent remote administration, Earthworm for tunneling/firewall bypass, SharpHound for Active Directory mapping, and 7-Zip for data staging and exfiltration; attackers also created unauthorized administrative accounts such as asp$ and sawadmin and exported registry hives including HKLM\SAM and HKLM\SYSTEM. Multiple sources associate WeepSteel deployment with long-term espionage and data exfiltration objectives. The activity has been linked in reporting to the China-linked threat actor UAT-8837, while other references describe the operators more generally as state-sponsored actors. Targeting described in the content includes public-facing Sitecore servers and, more broadly, critical infrastructure and enterprise environments in North America. Indicators specifically mentioned for WeepSteel-related activity include Information.dll in Sitecore web directories, suspicious ViewState payloads targeting endpoints such as /sitecore/blocked.aspx, and concurrent presence of dwagent.exe, ew.exe, and unexpected 7z.exe activity.