Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: godzilla (2 articles)Clear

KnowledgeDeliver LMS zero-day CVE-2026-5426 deploys Godzilla web shell via ViewState deserialization - shared hardcoded ASP.NET machine keys across customers

Mandiant has disclosed that attackers exploited a zero-day in the KnowledgeDeliver learning management system (CVE-2026-5426) to deploy the Godzilla in-memory web shell and a custom-encrypted Cobalt Strike beacon. The flaw is a deserialization issue tied to identical pre-shared ASP.NET machine keys distributed in the vendor's default web.config across all customer deployments installed before February 24, 2026. With the shared machineKey, an attacker forges signed ViewState payloads and achieves unauthenticated RCE at the OS level. The threat actor escalated control to modify the platform's JavaScript files, prompting users to install a fake 'security authentication plugin' that delivered the Cobalt Strike payload.

Check
Inventory KnowledgeDeliver LMS installations and the deployment date. Check web.config for hardcoded machineKey values. Search IIS logs for unusual ViewState payloads since late 2025.
Affected
All KnowledgeDeliver LMS installations deployed before February 24, 2026. The hardcoded ASP.NET machineKey is shared across all customers, enabling forged ViewState attacks for unauthenticated RCE.
Fix
Rotate machineKey to unique per-deployment values immediately. Patch to the latest KnowledgeDeliver release. Hunt for Godzilla/BlueBeam in-memory web shells and Cobalt Strike beacons across IIS application pools.

China-linked spy group has been quietly breaking into government Exchange servers across Asia and one NATO country since 2024

Trend Micro disclosed a China-aligned espionage cluster called SHADOW-EARTH-053 that has been targeting government and defense organizations across South, East, and Southeast Asia plus one NATO European country since at least December 2024. The group breaks in by exploiting unpatched Microsoft Exchange and IIS servers (using known flaws like ProxyLogon), drops a Godzilla web shell for persistent access, then uses DLL sideloading to load ShadowPad - a long-running Chinese implant. The targeting overlaps with Earth Alux and REF7707, suggesting either a shared operator or shared infrastructure across China-aligned groups. Targets include journalists and activists alongside government agencies.

Check
If you run Microsoft Exchange or IIS, confirm every server is patched against ProxyLogon and recent Exchange CVEs - the entry point is unpatched 2-3 year old flaws, not zero-days.
Affected
Government and defense organizations in South, East, and Southeast Asia and the NATO European country are the named targets. Any organization running internet-facing Microsoft Exchange or IIS that has fallen behind on patching is at risk. Diaspora communities and journalists working on China-related stories are at acute risk - the campaign extends transnational repression alongside conventional espionage.
Fix
Patch Microsoft Exchange and IIS to current versions and confirm with active scanning. Hunt for Godzilla web shell artifacts: unusual .aspx files in Exchange's web directories, suspicious POSTs with encrypted payloads, and outbound HTTPS to unfamiliar domains from Exchange/IIS processes. For journalists and activists working on China topics, follow Citizen Lab guidance: hardware MFA, encrypted communications, skepticism of unsolicited story tips.