Hackers Weaponize CVE-2024-4577 to Deploy Cobalt Strike and Compromise Systems

Red | Attack Report
Download PDF

Since January 2025, an unidentified threat actor has been targeting organizations in Japan by exploiting CVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation on Windows, to gain initial access. Once inside, they execute PowerShell scripts to deploy a Cobalt Strike reverse HTTP shellcode payload, establishing persistent remote access. For post-exploitation, they leverage TaoWu, a set of publicly available Cobalt Strike plugins, enabling further control over compromised systems and facilitating lateral movement within the network.

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox

Cyber Horizons 2025

What Last Year’s Attacks Reveal About Today’s Risks

Watch the Webinar on-demand and get a FREE copy of our Cyber Horizons 2025 report.

Our Speakers
Speaker 1

Prateek Bhajanka Global Field CISO & Former Gartner Analyst Hive Pro Inc.

Speaker 2

Ankit Mani Manager Threat Intel HiveForce Labs

Speaker 3

Sreevani Tonipe Senior Threat Researcher HiveForce Labs