{ "id": "eb88f0a9-743b-40a1-9296-635d02644e3f", "created_at": "2026-04-06T00:15:28.454914Z", "updated_at": "2026-04-10T03:37:55.907138Z", "deleted_at": null, "sha1_hash": "83a1166c7d61e0eab1976dc72bba412f21cec71a", "title": "New Core Impact Backdoor Delivered Via VMWare Vulnerability", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1870032, "plain_text": "New Core Impact Backdoor Delivered Via VMWare Vulnerability\r\nBy Morphisec Labs\r\nArchived: 2026-04-05 19:59:23 UTC\r\nMorphisec is a world leader in preventing evasive polymorphic threats launched from zero-day exploits. On April 14 and 15,\r\nMorphisec identified exploitation attempts for a week-old VMware Workspace ONE Access (formerly VMware Identity\r\nManager) remote code execution (RCE) vulnerability. BleepingComputer reports similar attempts have been seen in the\r\nwild. Due to indicators of a sophisticated Core Impact backdoor, Morphisec believes advanced persistent threat (APT)\r\ngroups are behind these VMWare identity manager attack events. The tactics, techniques, and procedures used in the attack\r\nare common among groups such as the Iranian linked Rocket Kitten. \r\nVMWare is a $30 billion cloud computing and virtualization platform used by 500,000 organizations worldwide. A\r\nmalicious actor exploiting this RCE vulnerability potentially gains an unlimited attack surface. This means highest\r\nprivileged access into any components of the virtualized host and guest environment. Affected firms face significant security\r\nbreaches, ransom, brand damage, and lawsuits. \r\nThis new vulnerability is a server-side template injection that affects an Apache Tomcat component, and as a result, the\r\nmalicious command is executed on the hosting server. As part of the attack chain, Morphisec has identified and prevented\r\nPowerShell commands executed as child processes to the legitimate Tomcat prunsrv.exe process application. A malicious\r\nactor with network access can use this vulnerability to achieve full remote code execution against VMware’s identity access\r\nmanagement. Workspace ONE Access provides multi-factor authentication, conditional access, and single sign-on to SaaS,\r\nweb, and native mobile apps. \r\nThis attack turned around remarkably fast: \r\nA patch for the initial vulnerability was released on April 6 \r\nOn April 11 a proof of concept for the attack appeared \r\nOn April 13 exploits were identified in the wild\r\nAdversaries can use this attack to deploy ransomware or coin miners, as part of their initial access, lateral movement, or\r\nprivilege escalation. Morphisec research observed attackers already exploiting this vulnerability to launch reverse HTTPS\r\nbackdoors—mainly Cobalt Strike, Metasploit, or Core Impact beacons. With privileged access, these types of attacks may be\r\nable to bypass typical defenses including antivirus (AV) and endpoint detection and response (EDR). \r\nMorphisec Labs has analyzed this new attack in detail below. \r\nMorphisec console attack details\r\nTechnical Analysis\r\nhttps://blog.morphisec.com/vmware-identity-manager-attack-backdoor\r\nPage 1 of 6\n\nFull attack chain\r\nThe attacker gains initial access to an environment by exploiting a VMWare Identity Manager Service vulnerability. The\r\nattacker can then deploy a PowerShell stager that downloads the next stage, which Morphisec Labs identified as the\r\nPowerTrash Loader. Finally, an advanced penetration testing framework—Core Impact—is injected into memory.\r\nVMWare Identity Manager Vulnerabilities\r\nThe Morphisec blog post Log4j Exploit Hits Again: Vulnerable VMWare Horizon Servers at Risk showed how attackers\r\npreviously exploited VMWare’s Horizon Tomcat service. Unfortunately, malice never sleeps. Threat actors are now\r\nexploiting another VMWare component, the VMWare Identity Manager service. \r\nSeveral vulnerabilities have recently been reported for this service: \r\nCVE-2022-\r\n22957\r\nVMware Workspace ONE Access, Identity Manager, and vRealize Automation contain two\r\nremote code execution vulnerabilities (CVE-2022-22957 and CVE-2022-22958). A malicious\r\nactor with administrative access can trigger the deserialization of untrusted data through\r\nmalicious JDBC URI, which may result in remote code execution.\r\nCVE-2022-\r\n22954\r\nVMware Workspace ONE Access, Identity Manager, and vRealize Automation contain two\r\nremote code execution vulnerabilities (CVE-2022-22957 and CVE-2022-22958). A malicious\r\nactor with administrative access can trigger the deserialization of untrusted data through\r\nmalicious JDBC URI, which may result in remote code execution.\r\nCVE-2022-\r\n22954\r\nVMware Workspace ONE Access and Identity Manager contains a remote code execution\r\nvulnerability due to server-side template injection. A malicious actor with network access can\r\ntrigger a server-side template injection that may result in remote code execution.\r\nWhile CVE-2022-22957 and CVE-2022-22958 are RCE vulnerabilities, they require administrative access to the server.\r\nCVE-2022-22954 however, doesn’t, and already has an open-source proof of concept in the wild.\r\nPowershell Stager\r\nThe attacker exploited the service and ran the following PowerShell command:\r\nStager encoded in base64 \r\nWhich translates to:\r\nhttps://blog.morphisec.com/vmware-identity-manager-attack-backdoor\r\nPage 2 of 6\n\nDecoded stager\r\nAs you can see at the end, this is an encoded command where each character is subtracted by one. When doing so we get the\r\nURL from which the next stage is downloaded:\r\nDecoded #2 stager\r\nPowerTrash Loader\r\nThe PowerTrash Loader is a highly obfuscated PowerShell script with approximately 40,000 lines of code.\r\nSnippet from the PowerTrash Loader\r\nThis loader decompresses the deflated payload and reflectively loads it in memory, without leaving forensic evidence on the\r\ndisk. We’ve previously seen the PowerTrash Loader leading to  JSSLoader. \r\nThis time the final payload was different—a Core Impact Agent.\r\nCore Impact Agent\r\nCore Impact is a penetration testing framework developed by Core Security. As with other penetration testing frameworks,\r\nthese aren’t always used with good intentions. TrendMicro reported a modified version of Core Impact was used in the\r\nWoolen-GoldFish campaign tied to the Rocket Kitten APT35 group.\r\nWe can extract the C2 address, client version, and communication encryption key located in an embedded string:\r\nhttps://blog.morphisec.com/vmware-identity-manager-attack-backdoor\r\nPage 3 of 6\n\nC2 Server: 185.117.90[.]187 \r\nClient Version: 7F F7 FF 83 (HEX)\r\n256-Bit Key:\r\ncd19dbaa04ea4b61ace6f8cdfe72dc99a6f807bcda39ceab2fefd1771d44ad288b76bc20eaf9ee26c9a175bb055f0f2eb800ae6010ddd7b509e061651ab5e883d4\r\n(ASCII)\r\nAdditional Threat Relations\r\nA reverse look-up on the Stager server leads to a new web hosting server named ‘Stark Industries’ registered in London.\r\nStager server IP reverse lookup result\r\nThe company was registered on February 2022 and is linked to a certain person.\r\nThere is a dedicated profile page for him on hucksters.net which exposes spammers, fraudsters, and other bad actors.\r\nSuch person is infamous for owning web hosting companies used for malicious and illegal activities. Among them is\r\npq[.]hosting which is easily correlated to stark-industries[.]solutions.\r\nhttps://blog.morphisec.com/vmware-identity-manager-attack-backdoor\r\nPage 4 of 6\n\nCorrelation between the web hosting companies\r\nIndicators of Compromise\r\nMorphisec is currently not releasing the indicators of compromise (IOCs) publicly. To request the IOCs, please email\r\nMorphisec CTO Michael Gorelik.\r\nProtect Yourself Against This VMWare Identity Manager Attack\r\nThe widespread use of VMWare identity access management combined with the unfettered remote access this attack\r\nprovides is a recipe for devastating breaches across industries. Anyone using VMWare’s identity access management should\r\nimmediately apply the patches VMWare has released. Organizations unable to immediately apply the patch(es) should\r\nconsider virtual patching. VMWare customers should also review their VMware architecture to ensure the affected\r\ncomponents are not accidentally published on the internet, which dramatically increases the exploitation risks.\r\nMorphisec customers are protected against these backdoor attacks and others like it. Morphisec’s MTD technology\r\nimplements a virtual patch by creating a dynamic attack surface to prevent the successful deployment of CoreImpact, Cobalt\r\nStrike and Metasploit beacons. These beacons are highly evasive and can bypass the AV, EDR, MDR, and XDR deployed on\r\nendpoints. Morphisec’s MTD technology provides early visibility and prevention of vulnerability exploitation. It enables\r\nquick containment without creating false positive alerts. \r\nFor better risk management, organizations should adopt a preventative approach that proactively stops breaches before they\r\ninfiltrate. Morphisec’s Moving Target Defense technology uses polymorphism against attackers to hide vulnerabilities from\r\nthreat actors while reducing your attack surface. To learn more, read Morphisec’s white paper: Zero Trust + Moving Target\r\nDefense: Stopping Ransomware, Zero-Day, and Other Advanced Threats Where NGAV and EDR Are Failing.\r\nAbout the author\r\nMorphisec Labs\r\nMorphisec Labs continuously researches threats to improve defenses and share insight with the broader cyber community.\r\nThe team engages in ongoing cooperation with leading researchers across the cybersecurity spectrum and is dedicated to\r\nfostering collaboration, data sharing and offering investigative assistance.\r\nhttps://blog.morphisec.com/vmware-identity-manager-attack-backdoor\r\nPage 5 of 6\n\nSource: https://blog.morphisec.com/vmware-identity-manager-attack-backdoor\r\nhttps://blog.morphisec.com/vmware-identity-manager-attack-backdoor\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor" ], "report_names": [ "vmware-identity-manager-attack-backdoor" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "b0261705-df2e-4156-9839-16314250f88a", "created_at": "2023-01-06T13:46:38.373617Z", "updated_at": "2026-04-10T02:00:02.947842Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Operation Woolen-Goldfish", "Thamar Reservoir", "Timberworm", "TEMP.Beanie", "Operation Woolen Goldfish" ], "source_name": "MISPGALAXY:Rocket Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e034b94b-9655-42c4-a72e-a58807dce299", "created_at": "2022-10-25T16:07:24.133537Z", "updated_at": "2026-04-10T02:00:04.876832Z", "deleted_at": null, "main_name": "Rocket Kitten", "aliases": [ "Group 83", "NewsBeef", "Newscaster", "Operation Newscaster", "Operation Woolen-GoldFish", "Parastoo", "Rocket Kitten" ], "source_name": "ETDA:Rocket Kitten", "tools": [ "CoreImpact (Modified)", "FireMalv", "Ghole", "Gholee" ], "source_id": "ETDA", "reports": null }, { "id": "8faa11f5-2a14-479c-9ea8-3779e6de9749", "created_at": "2022-10-25T15:50:23.814205Z", "updated_at": "2026-04-10T02:00:05.308465Z", "deleted_at": null, "main_name": "Ajax Security Team", "aliases": [ "Ajax Security Team", "Operation Woolen-Goldfish", "AjaxTM", "Rocket Kitten", "Flying Kitten", "Operation Saffron Rose" ], "source_name": "MITRE:Ajax Security Team", "tools": [ "sqlmap", "Havij" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434528, "ts_updated_at": 1775792275, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/83a1166c7d61e0eab1976dc72bba412f21cec71a.pdf", "text": "https://archive.orkl.eu/83a1166c7d61e0eab1976dc72bba412f21cec71a.txt", "img": "https://archive.orkl.eu/83a1166c7d61e0eab1976dc72bba412f21cec71a.jpg" } }