{
	"id": "d7814ea1-4c15-4938-82bc-39a493a08842",
	"created_at": "2026-04-06T01:30:46.895664Z",
	"updated_at": "2026-04-10T03:30:32.85398Z",
	"deleted_at": null,
	"sha1_hash": "1b20afdb199427d20ed868938903fd429b4f5c88",
	"title": "Shining a Light in the Dark – How Binary Defense Uncovered an APT…",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52809,
	"plain_text": "Shining a Light in the Dark – How Binary Defense Uncovered an\r\nAPT…\r\nArchived: 2026-04-06 01:11:27 UTC\r\nWritten by ARC Labs contributors, John Dwyer, Eric Gonzalez at Binary Defense and Tyler Hudak at\r\nTrustedSec\r\nIn cybersecurity, the threats we don't see—or don't expect—often pose the greatest danger. Recently, this became\r\nall too clear when three unmanaged AIX servers, sitting exposed on the internet, opened the door for a China-Nexus Threat Actor to launch an attack. What may seem like obscure, legacy technology became a launchpad for\r\nmalicious activity, allowing the attacker to introduce a web shell and pivot deeper into a Windows environment.\r\nThis incident highlights the growing risks posed by shadow IT and unmanaged systems, but more importantly, it\r\nunderscores the critical role that detection and response play in identifying and mitigating threats. Even legacy\r\ntechnologies, like AIX servers, can become high-value targets for attackers. In this blog, we’ll explore how the\r\nattackers quickly pounced an opportunity to take control of these unmanaged systems and why comprehensive\r\nthreat detection and response is essential for protecting every corner of your network—no matter how small or\r\nseemingly insignificant.\r\nTimeline of the Attacker's Activity\r\nAttacker access one of the AIX servers using the default credentials for the Apache AXIS Admin portal\r\nAttacker leverages the upload function of the AXIS admin portal to introduce the AxisInvoker web shell\r\nAttacker harvests Kerberos data from the AIX server\r\nAttacker uploads requisite SSH keys and access the AIX server via SSH\r\nAttacker performs reconnaissance gathering data through LDAP, SMB shares, network information, and\r\nsearch local configuration files for more information about the systems and their configuration\r\nAttacker attempts to introduce several post-exploitation tools such as Cobalt Strike beacons and different\r\nJavaScript-based web shells\r\nAttacker introduces the FRP reverse proxy tool to establish a direct connection from the attacker-controlled\r\ninfrastructure to the target network\r\nAttacker executes various NTLM attacks to perform Active Directory reconnaissance and perform account\r\nimpersonation attacks for the local Administrator account\r\nAttacker attempts to harvest credentials through dumping the LSASS process but is detected and removed\r\nfrom the environment.\r\nThe Incident\r\nhttps://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/\r\nPage 1 of 4\n\nIn August 2024, malicious activity was detected on a Windows server. The alert was associated with an attempt to\r\ndump the memory of the LSASS process—an indicator of a potential privilege escalation attempt.\r\nService\r\nName\r\nomKGvRny\r\nService\r\nImage\r\nPath\r\n%COMSPEC% /Q /c cMd.exE /Q /c for /f \"tokens=1,2 delims= \" ^%A in ('\"tasklist /fi\r\n\"Imagename eq lsass.exe\" | find \"lsass\"\"') do rundll32.exe C:\\windows\\System32\\comsvcs.dll,\r\n#+0000^24 ^%B \\Windows\\Temp\\q4MYcT.lnk full\r\nThrough an investigation by Binary Defense and in conjunction with analysis from TrustedSec traced the original\r\nalert back to a credential dumping attempt originated from an AIX server which was part of a three AIX server\r\ndevelopment environment, left publicly accessible with default administrator credentials for the Apache Axis\r\nadmin portal. The evidence gathered by Binary Defense indicates the attacker had initially compromised the\r\nservers in March of 2024 and was able to maintain persistent access to the systems until August when they\r\nattempted to move laterally to a portion of the network which was in-scope of the security tools. These types of\r\noversights are often the result of shadow IT practices where systems are deployed without the knowledge or\r\ncontrol of the security team and regularly serve as enticing entry points for attackers. The threat actor exploited\r\nthe default Apache credentials to gain administrative access, upload a web shell, and establish persistent access\r\nthrough SSH keys and a reverse proxy.\r\nA web shell is a malicious script that attackers upload to a web server, allowing them to remotely execute\r\ncommands, browse files, and control the server as if they were physically present. This tool gave the attacker\r\ninteractive access to the AIX server, effectively turning it into a launchpad for further attacks. To maintain stealthy\r\ncommunication with the compromised server, the attacker used Fast Reverse Proxy (FRP), a tool that creates a\r\nreverse tunnel back to the attacker’s infrastructure, bypassing network defenses and firewalls.\r\nAttack Activity Details\r\nUpload webshell /axis2/axis2-admin/upload\r\nInteract with webshell /axis2/services/AxisInvoker/exec?cmd=\r\nEnable Attacker SSH access Download of SSH key into /.ssh/authorized_keys\r\ncp /etc/krb5.keytab /opt/\u003caxispath\u003e /axis2-web/krb5.jsp Collect key tab file\r\nDownload /tmp/.1/krb5.ccache Collect key tab cache\r\nDownload /tmp/krb5.keytab Collect temp key tab\r\nDownload /home/\u003cuser\u003e/.bash_history Collect admin bash history\r\ncat /home/\u003cadmin\u003e/.sh_history Collect admin shell history\r\n/tmp/ldapsearch Active Directory recon\r\nhttps://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/\r\nPage 2 of 4\n\nAttack Activity Details\r\nUpload /tmp/frpc \u0026 /tmp/ssl/frpc.ini Stage FRP reverse proxy\r\n/tmp/frpc process execution Starting reverse proxy process\r\nWith this C2 (command-and-control) channel established, the attacker executed NTLM relay attacks, a method\r\nwhere they capture and relay authentication credentials to impersonate a privileged user. This technique allowed\r\nthe attacker to enumerate Windows users and impersonate a valid Administrator account within the Windows\r\nenvironment, ultimately attempting to dump the LSASS process to harvest credential data.\r\nThis incident is a stark reminder that every device on a network, regardless of its purpose or visibility, can be a\r\npotential target for attackers.\r\nUnmanaged AIX Servers: Obscurity Does Not Guarantee Security\r\nAIX systems, while not commonly targeted in the same way as Windows or Linux, are by no means immune to\r\nattacks. The attackers in this case demonstrated their capability to identify and exploit the vulnerabilities in these\r\nsystems. By utilizing tools like AXISInvoker webshell and Fast Reverse Proxy (FRP), they effectively turned a\r\nrelatively obscure system into a beachhead for lateral movement into other systems. This serves as a crucial\r\nreminder that security teams must be vigilant about all systems in their network, not just the most obvious targets.\r\nIt is worth noting that while the attacker was able to navigate the AIX servers and utilize them to maintain access\r\nto the environment, they were unable to establish a C2 channel over Cobalt Strike because they repeatedly\r\nattempted to use Linux commands such as wget and curl which are not native to AIX.\r\nThe Importance of Comprehensive Security Monitoring\r\nThe attack was first detected when the China-Nexus threat actor attempted to pivot from the unmanaged AIX\r\nservers into the more secure, managed Windows environment, where active security controls were monitoring for\r\nsuspicious activity. However, the story didn’t end there. Even after being thwarted from their initial vector, the\r\nattacker made multiple failed attempts to regain access, demonstrating their persistence.\r\nHad the threat actor been able to maintain their foothold within the unmanaged AIX servers, they could have\r\noperated undetected for an extended period, potentially causing far more significant damage. Their repeated\r\nefforts to infiltrate the system emphasize just how relentless adversaries can be, especially when targeting\r\nunmonitored or obscure systems. This incident highlights the critical importance of comprehensive security\r\nmonitoring across all systems, not just those that are actively managed or considered high-priority. Without\r\nvisibility into every corner of the network, even seemingly minor, unmanaged systems can become a persistent\r\nsource of risk.\r\nFinal Thoughts\r\nThis incident highlights the dangers of unmanaged and shadow IT systems, which can easily become the weak\r\nlink in an otherwise secure network. It also serves as a reminder that less commonly targeted systems, like AIX,\r\nare not immune to attacks. Security teams must maintain visibility and control over all networked devices to\r\nhttps://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/\r\nPage 3 of 4\n\nprevent similar breaches in the future. The incident also reinforces the importance of regular audits, strong\r\ncredential management, and the integration of security measures across all environments.\r\nCall to Action\r\nOrganizations must take a hard look at their current IT assets and ensure that every system—whether it’s\r\nperceived as critical or obscure —are included in their security strategy. Every part of your network plays a role in\r\nits overall strength, and by giving attention to each system, you’re building a more resilient foundation.\r\nAs a partner, Binary Defense is here to support our clients security efforts by becoming a extension of their team.\r\nWe offer full visibility and advanced threat detection across your entire environment, from legacy systems like\r\nAIX servers to the latest technologies. Our goal is to help you stay ahead of threats, ensuring that no system, no\r\nmatter how small, goes unprotected.\r\nWe work alongside you to strengthen your security posture, offering managed detection and response, proactive\r\nthreat hunting, and timely incident response. Together, we can ensure every part of your digital ecosystem is\r\nsecure, giving you the confidence to focus on what matters most—growing your business. Let's work together to\r\nprotect your entire network, one step at a time.\r\nSource: https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/\r\nhttps://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.binarydefense.com/resources/blog/shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it/"
	],
	"report_names": [
		"shining-a-light-in-the-dark-how-binary-defense-uncovered-an-apt-lurking-in-shadows-of-it"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439046,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1b20afdb199427d20ed868938903fd429b4f5c88.pdf",
		"text": "https://archive.orkl.eu/1b20afdb199427d20ed868938903fd429b4f5c88.txt",
		"img": "https://archive.orkl.eu/1b20afdb199427d20ed868938903fd429b4f5c88.jpg"
	}
}