Threat Research

    Apache ActiveMQ Exploit Leads to LockBit Ransomware

    The intrusion started in mid-February 2024 when a threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server. By leveraging a Java Spring class and a custom Spring bean XML configuration, the attacker achieved remote code execution. The malicious XML executed a command that used Windows CertUtil to download a payload from a remote server....
    2/24/2026  0
    Read More »

    File Decoded From Base64/Hex Via Certutil.EXE

    "File Decoded From Base64/Hex Via Certutil.EXE" refers to the detection of the Windows utility certutil.exe being used with the -decode or -decodehex flags to convert base64 or hex-encoded data into executable files....
    6/5/2025  0
    Read More »

    File In Suspicious Location Encoded To Base64 Via Certutil.EXE

    Detects the execution of certutil with the "encode" flag to convert a file to Base64, targeting files located in potentially suspicious directories....
    1/9/2025  0
    Read More »

    Suspicious File Encoded To Base64 Via Certutil.EXE

    "Suspicious File Encoded To Base64 Via Certutil.EXE" examines the use of the Certutil tool with the "encode" flag to convert files into Base64 encoding. This technique is often employed by malicious actors to obfuscate files, particularly when the file extensions appear suspicious....
    1/7/2025  0
    Read More »
    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.