Attackers Exploit WDigest Vulnerability to Harvest Plaintext Credentials

Attackers Exploit WDigest Vulnerability to Harvest Plaintext Credentials

First seen 2 Jul 2026, 18:59 UTC Gbhackers 89% similarity 74.0
Share:

Article Content

Browse articles
ThreatCluster

A multi-stage cyber attack targeted IIS servers, beginning with enumeration commands and escalating to credential extraction using Mimikatz. The attackers uploaded a steganographic webshell and executed a defense-impairment script (i.bat) that disabled logging and security services. Initial forensics indicated exploitation of Adobe ColdFusion vulnerabilities (CVE-2023-26360, CVE-2023-29298, CVE-2023-29300). The attackers employed steganography to conceal the webshell and manipulated Windows credential protections by enabling plaintext storage in memory. They also altered Microsoft Defender settings to disable monitoring, facilitating data exfiltration. The attack's scope included targeting Western and European environments, with the adversary returning to the compromised server after initial remediation efforts. The incident highlights significant risks associated with unpatched vulnerabilities and inadequate logging.

Key Points: • Attackers exploited multiple vulnerabilities in Adobe ColdFusion to gain access. • Steganographic techniques were used to hide a webshell within an image file. • Windows credential protections were downgraded, allowing plaintext credential harvesting.

ThreatCluster AI

Timeline

2023-03-23
CVE-2023-26360 published
Adobe ColdFusion vulnerability disclosed, allowing potential exploitation.
Gbhackers
2023-07-12
CVE-2023-29298 published
Another critical vulnerability in Adobe ColdFusion was disclosed.
Gbhackers
2023-07-12
CVE-2023-29300 published
A third vulnerability in Adobe ColdFusion was published, increasing risk for affected systems.
Gbhackers
2024-01-08
CVE-2023-29298 added to CISA KEV
CISA identified active exploitation of this vulnerability in the wild.
Gbhackers
2024-01-08
CVE-2023-29300 added to CISA KEV
CISA confirmed active exploitation of this vulnerability, prompting alerts.
Gbhackers
2026-06-10
Attackers returned to server
After initial remediation, attackers re-uploaded the webshell and escalated their tactics.
Gbhackers
2026-07-02
Incident reported
The ongoing attack and its methods were detailed in a cybersecurity article.
Gbhackers

Community

Browse all →