Wednesday, April 30, 2025
HomeCVE/vulnerabilityCactus Ransomware Exploiting Qlik Sense code execution Vulnerability

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

Published on

SIEM as a Service

Follow Us on Google News

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense for initial access.

Qlik Sense is a data discovery and analytics platform that allows you to visualize and analyze data from various sources. It has a modern interface, a relational analytics engine, and advanced artificial intelligence.

Cactus Ransomware

Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames.

- Advertisement - Google News
Document
Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Reported by Articwolf.

CVE-2023-41266 Path traversal in Qlik Sense Enterprise for Windows. The severity range is high(8.2). An unauthenticated, remote attacker generates an anonymous session, which allows them to perform HTTP requests to unauthorized endpoints. 

CVE-2023-41265 HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows, severity range is critical (9.6). Allowing them to execute HTTP requests on the backend server hosting the repository application. 

Notably, the code was consistent between all intrusions identified and involved the Qlik Sense Scheduler service (Scheduler.exe), spawning uncommon processes.

Cactus Ransomware

The threat actors downloaded more tools to ensure remote control and persistence via PowerShell and the Background Intelligent Transfer Service (BITS). These tools included:

  • Renamed ManageEngine UEMS executables that appear to be Qlik files but have a ZIP extension. After being downloaded and used for quiet installation, these files underwent another renaming.
  • AnyDesk downloaded directly from anydesk.com
  • A Plink (PuTTY Link) binary, downloaded and renamed to putty.exe

Also, the threat actors observed:

  • Use msiexec to uninstall Sophos via its GUID
  • Change the administrator account password
  • Establish an RDP tunnel via Plink

The evidence of these actors include:

  • Used RDP for lateral movement
  • Downloaded WizTree disk space analyzer 
  • Leveraged rclone (renamed as svchost.exe) for data exfiltration

Further technical data will be provided when available, but the incident response (IR) investigation is still underway.

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.

Latest articles

Cato Networks macOS Client Vulnerability Enables Low-Privilege Code Execution

A critical vulnerability in Cato Networks’ widely used macOS VPN client has been disclosed,...

TheWizards Deploy ‘Spellbinder Hacking Tool’ for Global Adversary-in-the-Middle Attack

ESET researchers have uncovered sophisticated attack techniques employed by a China-aligned threat actor dubbed...

SonicWALL Connect Tunnel Vulnerability Could Allow Attackers to Trigger DoS Attacks

A newly disclosed vulnerability in SonicWall’s Connect Tunnel Windows Client could allow malicious actors...

Researchers Uncovered RansomHub Operation and it’s Relation With Qilin Ransomware

Security researchers have identified significant connections between two major ransomware-as-a-service (RaaS) operations, with evidence...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cato Networks macOS Client Vulnerability Enables Low-Privilege Code Execution

A critical vulnerability in Cato Networks’ widely used macOS VPN client has been disclosed,...

TheWizards Deploy ‘Spellbinder Hacking Tool’ for Global Adversary-in-the-Middle Attack

ESET researchers have uncovered sophisticated attack techniques employed by a China-aligned threat actor dubbed...

SonicWALL Connect Tunnel Vulnerability Could Allow Attackers to Trigger DoS Attacks

A newly disclosed vulnerability in SonicWall’s Connect Tunnel Windows Client could allow malicious actors...