{
	"id": "87e1e3c6-9d8c-4d99-97de-140138c7bde8",
	"created_at": "2026-04-06T01:31:57.759992Z",
	"updated_at": "2026-04-10T13:11:27.932003Z",
	"deleted_at": null,
	"sha1_hash": "53e79e59898a127c508970c20c1109981ff252dd",
	"title": "Log4j Exploit Hits Again: Vulnerable Unifi Network Application (Ubiquiti) at Risk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 436182,
	"plain_text": "Log4j Exploit Hits Again: Vulnerable Unifi Network Application\r\n(Ubiquiti) at Risk\r\nBy Morphisec Labs\r\nArchived: 2026-04-06 00:50:54 UTC\r\nAs a continuation to our previously published blog post on VMWare Horizon being targeted through the Log4j\r\nvulnerability, we have now identified Unifi Network applications being targeted in a similar way on a number of\r\noccasions. Based on prevention logs from Morphisec, the first appearance of successful exploitation occurred on\r\nJanuary 20, 2022. Morphisec expertise comes from being the best breach prevention software, using Automated\r\nMoving Target Defense, that stops ransomware and other advanced attacks that today’s NGAV and EDR solutions\r\nare unable to stop, in a timely and cost-efficient manner.\r\nThe uniqueness of the attack is that the C2 is correlated to a previous SolarWind attack as reported by\r\nCrowdStrike. \r\nNot surprisingly, a POC for the exploitation of Unifi Network was released a month prior (24th of December), and\r\nwe, therefore, expected to see this type of targeted exploitation in the wild.\r\nTechnical Details\r\nThe unifi vulnerability was first posted by @sprocket_ed.\r\nLog4j Vulnerability (Log4Shell) on Ubiquiti UniFi\r\nhttps://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications\r\nPage 1 of 4\n\nUbiquiti normal execution command line:\r\n-Dfile.encoding=UTF-8\r\n-Djava.awt.headless=true\r\n-Dapple.awt.UIElement=true\r\n-Dunifi.core.enabled=false\r\n-Xmx1024M\r\n-Xrs\r\n-XX:+ExitOnOutOfMemoryError\r\n-XX:+CrashOnOutOfMemoryError\r\n-XX:ErrorFile=C:UsersAdministratorUbiquiti UniFilogshs_err_pid%p.log\r\n-jar\r\nC:UsersAdministratorUbiquiti UniFilibace.jar\r\nstart\r\n(We recommend identifying powershell execution as a child process to this command-line execution statement)\r\nOrigin:\r\nhttps://github.com/ivan-sincek/powershell-reverse-tcp/blob/master/src/prompt/powershell_reverse_tcp_prompt.ps1\r\nWe found that the C2 used in the attack was previously noted as part of the SolarWind supply chain attack, Cobalt\r\nbeacon C2, and was attributed to TA505 aka GRACEFUL SPIDER, a well known financially motivated threat\r\nactor group. These attacks are often motivated by opportunities to sell sensitive data or perpetrate ransomware\r\ndemands to prevent exposure. TA505, the name given by Proofpoint, has been in the cybercrime business for at\r\nhttps://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications\r\nPage 2 of 4\n\nleast five years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered\r\nthrough malicious email campaigns via Necurs botnet. Other malware associated with TA505 includes\r\nPhiladelphia and GlobeImposter ransomware families. More on TA505 here.\r\nThese types of attacks underscore how traditional security solutions are failing to detect and prevent the latest\r\nthreats, which have become far more frequent and sophisticated. With the average ransomware attack now\r\noccurring every few seconds, and ransoms costing organizations millions, security teams should explore ways to\r\naugment or replace current solutions that are no longer adequate. Leading analysts, such as Gartner, are pointing\r\nto Moving Target Defense as a way to detect and prevent attacks that are now bypassing next generation antivirus\r\n(NGAV) and endpoint detection and response (EDR) solutions. Morphisec offers Moving Target Defense for\r\nendpoints and Windows or Linux servers. CLICK HERE for more information. Firms should also consider\r\nIncident Response (IR) services, to not only respond to Indicators of Compromise (IOCs) but also assess security\r\npostures for weaknesses and provide recommendations to improve defenses. Morphisec offers IR services that\r\nleverage our deep Moving Target Defense expertise and technology. CLICK HERE for more information.  \r\nRelated tweet on C2:\r\nIndicators of Compromise (IOCs)\r\nC2 179.60.150[.]32\r\nObserved Vulnerable Jars\r\n2275247244f03091373f51d613939f5a96c48481c60832d443c112611142ceba\r\n5e53ee9c3299a60b313bdfa3d8b8aaafae67d70eb565a7999e42139d51614462\r\ncccd16f0c8e1f490f9cf8b0a42d61b52185f0e44e66e098c4f116b3e19f75b1c\r\n079089176ad528393c0641a630d90ca90a353a3c1765fb052e8c43ed45a29506\r\nAbout the author\r\nhttps://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications\r\nPage 3 of 4\n\nMorphisec Labs\r\nMorphisec Labs continuously researches threats to improve defenses and share insight with the broader cyber\r\ncommunity. The team engages in ongoing cooperation with leading researchers across the cybersecurity spectrum\r\nand is dedicated to fostering collaboration, data sharing and offering investigative assistance.\r\nSource: https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications\r\nhttps://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.morphisec.com/log4j-exploit-targets-vulnerable-unifi-network-applications"
	],
	"report_names": [
		"log4j-exploit-targets-vulnerable-unifi-network-applications"
	],
	"threat_actors": [
		{
			"id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59",
			"created_at": "2024-06-19T02:03:08.128175Z",
			"updated_at": "2026-04-10T02:00:03.636663Z",
			"deleted_at": null,
			"main_name": "GOLD TAHOE",
			"aliases": [
				"Cl0P Group Identity",
				"FIN11 ",
				"GRACEFUL SPIDER ",
				"SectorJ04 ",
				"Spandex Tempest ",
				"TA505 "
			],
			"source_name": "Secureworks:GOLD TAHOE",
			"tools": [
				"Clop",
				"Cobalt Strike",
				"FlawedAmmy",
				"Get2",
				"GraceWire",
				"Malichus",
				"SDBbot",
				"ServHelper",
				"TrueBot"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4",
			"created_at": "2022-10-25T15:50:23.5188Z",
			"updated_at": "2026-04-10T02:00:05.26565Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"TA505",
				"Hive0065",
				"Spandex Tempest",
				"CHIMBORAZO"
			],
			"source_name": "MITRE:TA505",
			"tools": [
				"AdFind",
				"Azorult",
				"FlawedAmmyy",
				"Mimikatz",
				"Dridex",
				"TrickBot",
				"Get2",
				"FlawedGrace",
				"Cobalt Strike",
				"ServHelper",
				"Amadey",
				"SDBbot",
				"PowerSploit"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3",
			"created_at": "2023-01-06T13:46:38.860754Z",
			"updated_at": "2026-04-10T02:00:03.125179Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"SectorJ04",
				"SectorJ04 Group",
				"ATK103",
				"GRACEFUL SPIDER",
				"GOLD TAHOE",
				"Dudear",
				"G0092",
				"Hive0065",
				"CHIMBORAZO",
				"Spandex Tempest"
			],
			"source_name": "MISPGALAXY:TA505",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e447d393-c259-46e2-9932-19be2ba67149",
			"created_at": "2022-10-25T16:07:24.28282Z",
			"updated_at": "2026-04-10T02:00:04.921616Z",
			"deleted_at": null,
			"main_name": "TA505",
			"aliases": [
				"ATK 103",
				"Chimborazo",
				"G0092",
				"Gold Evergreen",
				"Gold Tahoe",
				"Graceful Spider",
				"Hive0065",
				"Operation Tovar",
				"Operation Trident Breach",
				"SectorJ04",
				"Spandex Tempest",
				"TA505",
				"TEMP.Warlock"
			],
			"source_name": "ETDA:TA505",
			"tools": [
				"Amadey",
				"AmmyyRAT",
				"AndroMut",
				"Azer",
				"Bart",
				"Bugat v5",
				"CryptFile2",
				"CryptoLocker",
				"CryptoMix",
				"CryptoShield",
				"Dridex",
				"Dudear",
				"EmailStealer",
				"FRIENDSPEAK",
				"Fake Globe",
				"Fareit",
				"FlawedAmmyy",
				"FlawedGrace",
				"FlowerPippi",
				"GOZ",
				"GameOver Zeus",
				"GazGolder",
				"Gelup",
				"Get2",
				"GetandGo",
				"GlobeImposter",
				"Gorhax",
				"GraceWire",
				"Gussdoor",
				"Jaff",
				"Kasidet",
				"Kegotip",
				"Kneber",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Locky",
				"MINEBRIDGE",
				"MINEBRIDGE RAT",
				"MirrorBlast",
				"Neutrino Bot",
				"Neutrino Exploit Kit",
				"P2P Zeus",
				"Peer-to-Peer Zeus",
				"Philadelphia",
				"Philadephia Ransom",
				"Pony Loader",
				"Rakhni",
				"ReflectiveGnome",
				"Remote Manipulator System",
				"RockLoader",
				"RuRAT",
				"SDBbot",
				"ServHelper",
				"Shifu",
				"Siplog",
				"TeslaGun",
				"TiniMet",
				"TinyMet",
				"Trojan.Zbot",
				"Wsnpoem",
				"Zbot",
				"Zeta",
				"ZeuS",
				"Zeus"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439117,
	"ts_updated_at": 1775826687,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53e79e59898a127c508970c20c1109981ff252dd.pdf",
		"text": "https://archive.orkl.eu/53e79e59898a127c508970c20c1109981ff252dd.txt",
		"img": "https://archive.orkl.eu/53e79e59898a127c508970c20c1109981ff252dd.jpg"
	}
}