Saturday, April 12, 2025
HomeCVE/vulnerabilityWeaponized LDAP Exploit Deploys Information-Stealing Malware

Weaponized LDAP Exploit Deploys Information-Stealing Malware

Published on

SIEM as a Service

Follow Us on Google News

Cybercriminals are exploiting the recent critical LDAP vulnerabilities (CVE-2024-49112 and CVE-2024-49113) by distributing fake proof-of-concept exploits for CVE-2024-49113 (dubbed “LDAPNightmare”). 

These malicious PoCs, often disguised as tools to demonstrate the vulnerability’s impact, are designed to trick security researchers and system administrators into downloading and executing them. 

When these malicious files are executed, they instead install malware that steals information on the system of the victim, which gives the attackers access to sensitive data. 

- Advertisement - Google News

The high-profile nature of the LDAP vulnerabilities is utilized in this attack in order to increase the likelihood that victims will fall for the lure.

 Repository containing “poc.exe”
 Repository containing “poc.exe”

A malicious actor forked a legitimate Python repository and then replaced the original Python source code files with a packed executable (poc.exe) likely created using UPX.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

This substitution is highly suspicious, as executables are not typically found within Python projects, which primarily rely on Python scripts, as this unexpected presence of an executable strongly indicates malicious activity within the repository.

Upon execution, the file drops and executes a PowerShell script in the %Temp% directory and establishes a persistent infection by creating a scheduled task that triggers the execution of an encoded script. 

After decoding, this script fetches another script from Pastebin and the final script acquires the victim’s public IP address and exfiltrates it to an external server via FTP, likely for further exploitation or command-and-control purposes.

creation of the Scheduled Job
creation of the Scheduled Job

The procedure involves collecting sensitive system data, including computer specifications, running processes, directory contents, network configurations (IPs and adapters), and installed updates, which is then compressed using the ZIP algorithm for efficient storage. 

The compressed data is then uploaded to an external FTP server using credentials that have been pre-defined, which may result in sensitive system information being accessed by unauthorized parties.

To mitigate the risk of downloading malware from fake repositories, prioritize downloading code from official and trusted sources. Scrutinize repositories with suspicious content, especially those with few stars, forks, or contributors, despite claims of widespread use. 

Verify the repository owner’s identity whenever possible and conduct thorough reviews of commit history and recent changes for anomalies. Investigate the repository’s discussion forums and issue trackers for potential red flags. 

According to Trend Micro, by implementing these measures, developers can significantly reduce the likelihood of introducing malicious code into their projects.

Find this News Interesting! Follow us on Google NewsLinkedIn, and X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate...

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as...

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains,...

HelloKitty Ransomware Returns, Launching Attacks on Windows, Linux, and ESXi Environments

Security researchers and cybersecurity experts have recently uncovered new variants of the notorious HelloKitty...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Threat Actors Manipulate Search Results to Lure Users to Malicious Websites

Cybercriminals are increasingly exploiting search engine optimization (SEO) techniques and paid advertisements to manipulate...

Hackers Imitate Google Chrome Install Page on Google Play to Distribute Android Malware

Cybersecurity experts have unearthed an intricate cyber campaign that leverages deceptive websites posing as...

Dangling DNS Attack Allows Hackers to Take Over Organization’s Subdomain

Hackers are exploiting what's known as "Dangling DNS" records to take over corporate subdomains,...