ZeroDay Field Notes - When Your Firewall Becomes the Backdoor

UncleSp1d3r here. This week's been a reminder that every piece of infrastructure you depend on is someone else's target--especially when it's supposed to be your first line of defense. We've got actively exploited RCE in WatchGuard firewalls, a cross-platform APT campaign leveraging mshta and systemd with equal enthusiasm, and a credential-stealing operation that's already compromised nearly 60,000 Next.js servers. Oh, and macOS operators finally get code-signed, notarized malware that bypasses Gatekeeper like it's not even there.

The holiday lull is officially over. Let's get into it.

WatchGuard Firebox: When the Perimeter Device Is the Entry Point

If you're running WatchGuard Firebox appliances, this one's going to sting. CVE-2025-14733 is a critical out-of-bounds write vulnerability in the iked process that handles IKEv2 VPN connections. It's a textbook memory corruption bug: send a crafted IKE_AUTH message with an oversized CERT payload (anything over ~2000 bytes), and you can trigger remote code execution with no authentication required. This is not to be confused with the previous WatchGuard Firebox iked-based vulnerability we talked about back in October.

The vendor advisory confirms active exploitation by threat actors, and the CVSS score sits at 9.3/9.8 depending on which metric version you prefer. Either way, it's a "drop everything and patch" situation. Affected versions span Fireware OS 11.10.2 through 2025.1.3 across all Firebox models. Fixes are available in 2025.1.4, 12.11.6, and 12.5.15 for legacy T15/T35 models.

The exploitation chain is straightforward. The attacker sends an IKEv2 packet with an abnormally large certificate chain embedded in the CERT payload. The iked process doesn't validate the length correctly, writes past the allocated buffer, and hands control to the attacker. From there, you've got full device compromise--network traffic inspection, credential harvesting, lateral movement, the works.

For defenders, WatchGuard published specific hunting indicators:

• Monitor for IKE_AUTH messages with CERT payloads exceeding 2000 bytes
• Check logs for "Received peer certificate chain is longer than 8" messages
• Hunt for iked process hangs or unexpected crashes
• Baseline normal certificate chain sizes and alert on outliers

If you've got unpatched devices, assume they're compromised until proven otherwise. Rotate all locally stored secrets (VPN keys, admin credentials, stored certificates), and review logs for any outbound connections to known malicious IPs listed in the advisory. The vendor has been pretty clear: this is being used in the wild, and the window for opportunistic exploitation is wide open.

For operators on the offensive side, this is a case study in targeting edge infrastructure. VPN gateways are high-value targets--they're internet-facing, they handle authentication, and once compromised, they provide visibility into internal traffic without triggering endpoint defenses. The fact that this is a memory corruption bug in a well-known daemon means the exploitation primitives are portable across similar implementations. This is also the second buffer overflow we've talked about this quarter in the same daemon so it should be a lesson in performing fuzzing and parameter testing to find new fun ways to exploit trusted services.

Operation PCPcat: 59,000 Next.js Servers and Counting

While everyone was focused on React2Shell, a separate Next.js vulnerability was being systematically exploited at scale. CVE-2025-29927 is a credential exposure flaw in older Next.js versions (pre-12.3.5, pre-13.5.9, pre-14.2.25, pre-15.2.3) that allows attackers to read .env files from misconfigured servers via crafted requests containing the x-middleware-subrequest header.

The campaign, dubbed Operation PCPcat, has compromised at least 59,128 Next.js servers as of publication. The attackers built a Python-based scanner (react.py) that sweeps IP ranges for vulnerable instances, extracts environment variables (database credentials, API keys, session secrets), and then installs persistence via a shell script (proxy.sh) that sets up proxy services and backdoor access.

The technical details are solid. The scanner targets servers that return .env content when sent requests with the x-middleware-subrequest header set. Once credentials are harvested, the attackers deploy a multi-stage payload:

1. Credential exfiltration: Database connection strings, OAuth secrets, Stripe API keys
2. Proxy installation: SOCKS5 proxy service on non-standard ports (5656, 666, 888)
3. Persistent backdoor: Modified startup scripts, cron jobs, systemd service units

The campaign's infrastructure leverages Telegram channels for C2 coordination and data exfiltration. The operators are using Ethereum Name Service (ENS) domains for resilience, which makes traditional DNS sinkholing less effective.

For defenders, the immediate actions are:

• Patch Next.js to 12.3.5, 13.5.9, 14.2.25, or 15.2.3 or later
• Block inbound requests with x-middleware-subrequest headers at the edge
• Monitor for outbound connections on ports 5656, 666, 888
• Hunt for react.py and proxy.sh artifacts using the provided YARA rules
• Rotate all secrets stored in .env files and audit access logs for evidence of exfiltration

The Beelzebub report includes file hashes, C2 IPs, and detailed MITRE ATT&CK mappings. This is a large-scale, automated campaign with clear operational metrics, which makes it a good case study in offensive automation and scalable exploitation.

For red teams, the technique is clean: scan for a known vulnerability, extract high-value secrets, and establish persistent access via legitimate system services. The use of Telegram for exfil and ENS for C2 demonstrates effective operational security for long-term campaigns.

CountLoader Evolves: Now With More Infostealer

CountLoader has been around for a while as a versatile malware delivery platform, but Cyderes' latest analysis documents a significant evolution: the loader is now being used to deliver ACR Stealer, a credential harvesting tool, via HTA/JavaScript/PowerShell chains and signed-binary sideloading.

The attack chain starts with phishing emails containing malicious HTA attachments or links to cloud-hosted files (MediaFire, Cloudflare R2). When executed, the HTA spawns a JavaScript loader that runs obfuscated PowerShell commands to download and execute the next stage. The final payload is delivered via DLL sideloading, abusing a legitimate signed binary (WinX_DVD_Copy_Pro.exe) to load a malicious DLL that contains ACR Stealer.

ACR Stealer itself is a modular infostealer targeting browser credentials, cryptocurrency wallets, email clients, and FTP applications. Once deployed, it exfiltrates data to attacker-controlled infrastructure and establishes persistence via scheduled tasks, WMI event subscriptions, and registry Run keys.

The tradecraft here is notable for its use of living-off-the-land binaries (LOLBins) and legitimate signed executables. By abusing mshta.exe, rundll32.exe, and a signed DVD ripping tool, the attackers blend their malicious activity with benign system behavior. The use of public cloud services for hosting further complicates detection, as blocking MediaFire wholesale is often impractical in enterprise environments.

For defenders, the mitigations are policy-driven:

• Block or restrict mshta.exe and rundll32.exe via AppLocker or Windows Defender Application Control (WDAC)
• Enable PowerShell Constrained Language Mode and enforce script block logging
• Monitor for sideloading: signed-but-rare binaries loading DLLs from writable user paths
• Implement URL/domain filtering for known file-sharing sites not required for business operations
• Deploy EDR rules to detect HTA/JS spawning PowerShell followed by network beacons

The report includes file hashes, C2 infrastructure, and behavioral detection opportunities. This is a good example of how malware families adapt--CountLoader's pivot from pure delivery to credential theft shows operators iterating on successful techniques and expanding capabilities based on market demand.

APT36: Cross-Platform Persistence Done Right

Multiple independent reports corroborate that APT36 (also tracked as Transparent Tribe) is running a sophisticated cross-platform campaign that delivers RATs to both Windows and Linux targets with equal effectiveness. The campaign leverages weaponized archives, .desktop file execution on Linux, and the classic LNK→mshta→HTA chain on Windows.

The Linux side is particularly interesting. The attackers distribute .zip archives containing malicious .desktop files--the Linux equivalent of Windows shortcuts. When executed, these files run shell commands that download and execute PyInstaller-packed Python binaries. The malware establishes persistence via user-level systemd services (~/.config/systemd/user/*.service), which survives reboots and doesn't require root privileges.

On Windows, the chain is more traditional but no less effective: LNK files spawn mshta.exe, which runs obfuscated HTA scripts to download and execute .NET-based RATs. Persistence is achieved via Startup folder LNKs, registry Run keys, and scheduled tasks.

The RAT capabilities are comprehensive:

• System fingerprinting (hostname, user, OS version, AV products)
• File enumeration and exfiltration
• Remote shell execution
• Screenshot capture
• USB drive harvesting
• C2 via HTTP with fixed XOR/AES encryption patterns

The campaign is also notable for exploiting CVE-2025-8088, a recent WinRAR vulnerability, as part of the initial access chain.

For defenders, the mitigations span both platforms:

Linux:

• Mount /tmp with noexec,nodev where feasible
• Restrict execution of untrusted .desktop files
• Monitor for user-level systemd service creation
• Block/restrict use of curl, xxd, chmod, nohup via local policies

Windows:

• Disable or restrict mshta.exe
• Enforce AppLocker/Windows Software Restriction Policies for HTA/LNK execution
• Restrict PowerShell (Constrained Language Mode, logging, transcription)
• Hunt for .NET BinaryFormatter deserialization and MemoryStream indicators

The CYFIRMA report includes extensive IOCs (file hashes, domains, IPs) and YARA rules. This is a well-resourced APT with clear regional targeting and mature cross-platform tradecraft. For red teams working on multi-OS engagements, the systemd persistence and .desktop abuse are worth emulating.

MacSync Stealer: Code Signing as a Feature, Not a Bug

Jamf Threat Labs documented the evolution of MacSync Stealer, and it's a good case study in abusing Apple's developer trust model. The malware arrives as a legitimate-looking disk image (zk-call-messenger-installer-3.9.2-lts.dmg) containing a code-signed, notarized Swift application. Because it's signed with a legitimate Developer Team ID (GNJLS3UYZ4), it passes Gatekeeper checks and executes without user warnings.

Once launched, the installer runs runtimectl to fetch an obfuscated script from attacker-controlled domains (focusgroovy[.]com, gatemaden[.]space, zkcall[.]net). The script is downloaded to /tmp/runner, executed to strip the com.apple.quarantine extended attribute, validated with spctl, and then run. The payload itself is multi-layer obfuscated via base64 encoding, gzip compression, and eval, minimizing on-disk artifacts.

Persistence is established via ~/Library/Application Support/UserSyncWorker/ and logged to ~/Library/Logs/UserSyncWorker.log. The C2 infrastructure supports staged payload delivery, credential theft from browsers and keychain, and file exfiltration.

Jamf reported the malicious certificate to Apple, which subsequently revoked it--but the malware demonstrates the ongoing challenge of combating signed, notarized threats. The use of legitimate Apple APIs (runtimectl, spctl) and Swift as the implementation language makes the malware look like benign application infrastructure.

For macOS defenders, the hunting indicators are:

• Creation of UserSyncWorker directory and log file
• Execution of /tmp/runner or similar temp-directory scripts
• Network connections to focusgroovy.com, gatemaden.space, zkcall.net
• Use of Developer Team ID GNJLS3UYZ4 (now revoked, but good for retroactive hunting)
• Anomalous use of runtimectl and spctl by non-system applications

For red teams, this is a blueprint for macOS delivery: obtain a legitimate Developer ID (buy it, compromise it, or use a temporary throwaway), sign your payload, automate notarization, and abuse built-in Apple tooling to validate and execute your code. The fact that this worked for an extended period underscores the effectiveness of blending in with legitimate developer workflows. I particularly enjoyed the use of decoy files in the package to inflate the bundle size and increase the number of legitimate files that could mislead simple scans. This highlights the delicate balance between maintaining space efficiency for network communications and ensuring that your code is not so efficiently malicious that it raises red flags as malware.

React2Shell Update: New Payloads, Same Vulnerability

We've covered React2Shell (CVE-2025-55182) extensively in previous editions, but this week brought a few developments worth noting briefly:

S-RM documented a case where attackers used the vulnerability as an initial access vector to deploy Weaxor ransomware (a Mallox variant) in a 15-minute window from exploitation to full encryption. The speed is notable--this wasn't reconnaissance followed by manual intrusion; it was automated exploitation leading directly to ransomware deployment via Cobalt Strike.

NTT Security identified ZnDoor, a new backdoor being delivered via React2Shell that establishes persistent access through Windows services, communicates with four C2 nodes (45.32.126.137, 104.168.9.49, 149.28.25.254, 45.76.155.14, and domain api[.]qtss.cc), and supports shell commands and SOCKS5 proxy operations for lateral movement. The malware employs process spoofing and timestomping for evasion.

And GreyNoise published an analysis of mass-scanning payloads, including some that appear to be AI-generated or at least AI-assisted in their complexity and variation. The payloads range from simple automated scanners to multi-stage exploitation chains delivering Gafgyt, Mirai variants, and custom botnets.

The takeaway: if you haven't patched React Server Components to 19.0.1+, 19.1.2+, or 19.2.1+, you're now facing not just opportunistic cryptominers but also ransomware operators and APT-level intrusion sets. The exploitation is mature, automated, and being integrated into multiple attack platforms.

Closing Thoughts

This week's stories share a pattern: attackers are abusing legitimate infrastructure, signed binaries, and trusted services to deliver malicious payloads. WatchGuard firewalls become entry points, macOS code signing becomes a delivery mechanism, and Next.js servers become credential vaults. The traditional security boundary between "trusted" and "untrusted" is increasingly meaningless when the trusted infrastructure itself is the attack vector.

The fundamentals still matter--patch known vulnerabilities, enforce least privilege, monitor for anomalous behavior--but the execution has to be sharper. You can't just trust a binary because it's signed or allow a request because it comes from a legitimate cloud provider. Context matters, baselines matter, and behavioral detection matters more than signatures.

For operators, the lesson is clear: the best attack vectors are the ones that look exactly like legitimate operations. Abuse signed binaries, use legitimate cloud services for C2, and blend your tradecraft with normal system behavior. The defenders who catch you are the ones who actually understand what "normal" looks like in their environment.

So patch your WatchGuards, rotate your Next.js secrets, and maybe audit what's actually signed and notarized on your macOS fleet. The holiday might be over, but the exploitation season is just getting started.

-- UncleSp1d3r