University of California San Diego (USArhythms subdomain)
June 22, 2025
•[ botnet, infrastructure compromise, remote code execution ]
CloudSEK and HackRead report the Androxgh0st botnet compromised a UC San Diego subdomain to host command-and-control/logging infrastructure using RCE and web shells; no confirmed data theft or service disruption reported.
VeraCore (Advantive)
November 5, 2024
•[ data leak, vulnerability, web shell ]
The Vietnamese-linked cybercriminal group XE Group exploited two zero-day vulnerabilities (CVE-2024-57968, CVE-2025-25181) in the U.S. software vendor VeraCores warehouse management and fulfillment platform. Attackers uploaded web shells, maintained persistent access since 2020, exfiltrated configuration and system data, and executed commands on compromised servers, potentially exposing data from client organizations using VeraCore for logistics operations.
At least one undisclosed government and/or tech company
November 4, 2024
•[ state-sponsored, malware, backdoor ]
Government cybersecurity reporting described PRC state-sponsored actors using BRICKSTORM malware to maintain long-term persistence in victim environments, primarily affecting government services/facilities and IT sector organizations. In a documented case, actors accessed a DMZ web server (with a web shell present), moved laterally using service account credentials, copied Active Directory databases, pivoted into VMware vCenter, accessed domain controllers and an ADFS server, and exported cryptographic keys. BRICKSTORM provided stealthy backdoor access for command-and-control and remote operations and was used for persistence from at least April 2024 through at least September 3, 2025. The specific victim organization name was not disclosed in the reporting.
