GodZilla

Specifically, the warrants authorized the seizures of computer servers that launched and controlled the DDoS attacks, computer servers that relayed attack commands to a broader network of attack computers, and accounts containing the source code for the DDoS tools used by Anonymous Sudan.

Threat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.

Threat actors abused a critical zero-day bug in a server that ran a KnowledgeDeliver LMS... The bug is a deserialization problem tracked as CVE-2026-5426 and can be abused without verification.

Threat actors could modify a JavaScript file with code that asked users to run a ‘security authentication plugin’ and install a malicious script from a domain that hackers used.

Monitor for unusual child processes spawned by w3wp.exe . Commands observed include: ... powershell.exe

Monitor for unusual child processes spawned by w3wp.exe . Commands observed include: cmd.exe /c ... whoami

The activity has been found to leverage publicly available proof-of-concept exploit code to deploy web shells on hacked systems, allowing the operators to run arbitrary bash commands.

When the machineKey is known, a threat actor can craft a malicious ViewState payload. By sending this payload in an HTTP request (via the __VIEWSTATE parameter), the threat actor can make the server deserialize it.

The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla). This malware operates entirely in memory within the IIS worker process ( w3wp.exe ), making it difficult to detect through traditional file-based scanning.

During the development of both Java and .NET webshells, I encountered an interesting challenge: how can a webshell communicate with its controller through encrypted HTTP traffic while remaining flexible enough to execute arbitrary payloads?

Attackers leveraged this access to inject malicious code, deploy the Godzilla web shell, and escalate privileges.

A known indicator associated with the campaign includes the BLUEBEAM payload “LoadLibrary.dll” with SHA-256 hash 7c1f99dca8e5a7897892f9d224a6495023a2cfd2671697d229d355978c415ed2.

This type of webshell is widely used... by dynamically loading Java bytecode directly into memory instead of storing it on disk.

The simplest way to execute arbitrary Java code from JSP is to dynamically load a compiled Java class through a custom ClassLoader.

Among the commands executed were instructions to escalate their control over the web server's file system by granting "Everyone" complete access to the web application directory.

One particularly notable technique involved propagating malicious web shells across additional internal Exchange servers by copying ASPX files directly through administrative SMB shares.

Talos is also aware of the widespread in-the-wild active exploitation of three vulnerabilities in unpatched Cisco Catalyst SD-WAN Manager infrastructure (CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122) that, when chained together, can allow a remote unauthenticated attacker to gain access to the device.

In one environment, the group propagated web shells to additional internal Exchange servers by using existing administrative credentials

The malware communicates through encrypted HTTP POST requests, allowing attackers to execute commands, upload payloads, and maintain persistence... Network defenders should also watch for anomalous User-Agent strings.

The malware communicates through encrypted HTTP POST requests, allowing attackers to execute commands, upload payloads, and maintain persistence... Users who downloaded the fake plugin were infected with a Cobalt Strike Beacon payload.

According to the indictment and a criminal complaint also unsealed today, since early 2023, the Anonymous Sudan actors and their customers have used the group’s Distributed Cloud Attack Tool (DCAT) to conduct destructive DDoS attacks and publicly claim credit for them. In approximately one year of operation, Anonymous Sudan’s DDoS tool was used to launch over 35,000 DDoS attacks.

Anonymous Sudan’s DDoS attacks, which at times lasted several days, caused damage to the victims’ websites and networks, often rendering them inaccessible or inoperable, resulting in significant damages.