{ "id": "b3923b62-bc07-4709-a366-3816d953e6c0", "created_at": "2026-04-06T00:14:20.900565Z", "updated_at": "2026-04-10T03:35:34.349982Z", "deleted_at": null, "sha1_hash": "6682314cc9c2cc8d301403ec4db6c5d6fc59230e", "title": "FreakOut malware worms its way into vulnerable VMware servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2110837, "plain_text": "FreakOut malware worms its way into vulnerable VMware servers\r\nBy Sergiu Gatlan\r\nPublished: 2021-06-04 · Archived: 2026-04-05 13:32:59 UTC\r\nA multi-platform Python-based malware targeting Windows and Linux devices has now been upgraded to worm its way into\r\nInternet-exposed VMware vCenter servers unpatched against a remote code execution vulnerability.\r\nThe malware, dubbed FreakOut by CheckPoint researchers in January (aka Necro and N3Cr0m0rPh), is an obfuscated\r\nPython script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files\r\ndropped on compromised systems.\r\nFreakOut spreads itself by exploiting a wide range of OS and apps vulnerabilities and brute-forcing passwords over SSH,\r\nadding the infected devices to an IRC botnet controlled by its masters.\r\nhttps://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe malware's core functionality enables operators to launch DDoS attacks, backdoor infected systems, sniff and exfiltrate\r\nnetwork traffic, and deploy XMRig miners to mine for Monero cryptocurrency.\r\nMalware upgraded with new exploits\r\nAs Cisco Talos researchers shared in a report published today, FreakOut's developers have been hard at work improving the\r\nmalware's spreading capabilities since early May, when the botnet's activity has suddenly increased.\r\n\"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging\r\nfrom different command and control (C2) communications and the addition of new exploits for spreading, most notably\r\nvulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in\r\nthe earlier iterations of the code,\" Cisco Talos security researcher Vanja Svajcer said.\r\nFreakOut bots scan for new systems to target either by randomly generating network ranges or on its masters' commands\r\nsent over IRC via the command-and-control server.\r\nFor each IP address in the scan list, the bot will try to use one of the built-in exploits or log in using a hardcoded list of SSH\r\ncredentials.\r\nImage: Cisco Talos\r\nWhile early FreakOut versions were able to exploit only vulnerable versions of Lifearay, Laravel, WebLogic, TerraMaster,\r\nand Zend Framework (Laminas Project) web apps, the latest ones have more than double the number of built-in exploits.\r\nNewly added exploits to malware variants observed by Cisco Talos in May include:\r\nVestaCP — VestaCP 0.9.8 - 'v_sftp_licence' Command Injection\r\nZeroShell 3.9.0 — 'cgi-bin/kerbynet' Remote Root Command Injection\r\nSCO Openserver 5.0.7 — 'outputform' Command Injection\r\nGenexis PLATINUM 4410 2.1 P4410-V2-1.28 — Remote Command Execution vulnerability\r\nOTRS 6.0.1 — Remote Command Execution vulnerability\r\nVMWare vCenter — Remote Command Execution vulnerability\r\nAn Nrdh.php remote code execution exploit for an unknown app\r\nPython versions of EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147) exploits\r\nThousands of VMware servers exposed to attacks\r\nhttps://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/\r\nPage 3 of 5\n\nThe VMware vCenter vulnerability (CVE-2021-21972) is present in the vCenter plugin for vRealize Operations (vROps)\r\nand is particularly interesting because it impacts all default vCenter Server installations.\r\nThousands of unpatched vCenter servers are currently reachable over the Internet, as shown by Shodan and BinaryEdge.\r\nAttackers have previously mass scanned for vulnerable Internet-exposed vCenter servers after security researchers published\r\na proof-of-concept (PoC) exploit code.\r\nRussian Foreign Intelligence Service (SVR) state hackers have also added CVE-2021-21972 exploits to their arsenal in\r\nFebruary, actively exploiting them in ongoing campaigns.\r\nVMware vulnerabilities have also been exploited in the past in ransomware attacks targeting enterprise networks. As Cisco\r\nTalos revealed, FreakOut operators have also been seen deploying a custom ransomware strain showing that they are\r\nactively experimenting with new malicious payloads.\r\nMultiple ransomware gangs, including RansomExx, Babuk Locker, and Darkside, previously used VMWare ESXi pre-auth\r\nRCE exploits to encrypt virtual hard disks used as centralized enterprise storage space.\r\n\"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various\r\nweb applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems,\"\r\nSvajcer added.\r\n\"Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.\"\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/\r\nhttps://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/" ], "report_names": [ "freakout-malware-worms-its-way-into-vulnerable-vmware-servers" ], "threat_actors": [ { "id": "7d8ef10e-1d7b-49a0-ab6e-f1dae465a1a4", "created_at": "2023-01-06T13:46:38.595679Z", "updated_at": "2026-04-10T02:00:03.033762Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "TwoForOne", "G0068", "ATK33" ], "source_name": "MISPGALAXY:PLATINUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e61c46f7-88a1-421a-9fed-0cfe2eeb820a", "created_at": "2022-10-25T16:07:24.061767Z", "updated_at": "2026-04-10T02:00:04.854503Z", "deleted_at": null, "main_name": "Platinum", "aliases": [ "ATK 33", "G0068", "Operation EasternRoppels", "TwoForOne" ], "source_name": "ETDA:Platinum", "tools": [ "AMTsol", "Adupib", "Adupihan", "Dipsind", "DvDupdate.dll", "JPIN", "LOLBAS", "LOLBins", "Living off the Land", "RedPepper", "RedSalt", "Titanium", "adbupd", "psinstrc.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "33f527a5-a5da-496a-a48c-7807cc858c3e", "created_at": "2022-10-25T15:50:23.803657Z", "updated_at": "2026-04-10T02:00:05.333523Z", "deleted_at": null, "main_name": "PLATINUM", "aliases": [ "PLATINUM" ], "source_name": "MITRE:PLATINUM", "tools": [ "JPIN", "Dipsind", "adbupd" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434460, "ts_updated_at": 1775792134, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6682314cc9c2cc8d301403ec4db6c5d6fc59230e.pdf", "text": "https://archive.orkl.eu/6682314cc9c2cc8d301403ec4db6c5d6fc59230e.txt", "img": "https://archive.orkl.eu/6682314cc9c2cc8d301403ec4db6c5d6fc59230e.jpg" } }