{ "id": "d2cdeb6d-eadb-404e-98e1-838f103c4cba", "created_at": "2026-04-06T00:17:38.906898Z", "updated_at": "2026-04-10T03:37:21.543526Z", "deleted_at": null, "sha1_hash": "c713ae6754abf28715160fc22c2281d711d7783c", "title": "Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 500375, "plain_text": "Targeted Attack Campaign Against ManageEngine ADSelfService Plus\r\nDelivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer\r\nBy Robert Falcone, Jeff White, Peter Renals\r\nPublished: 2021-11-08 · Archived: 2026-04-05 21:17:22 UTC\r\nExecutive Summary\r\nOn Sept. 16, 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) released an alert warning that advanced\r\npersistent threat (APT) actors were actively exploiting newly identified vulnerabilities in a self-service password\r\nmanagement and single sign-on solution known as ManageEngine ADSelfService Plus. The alert explained that malicious\r\nactors were observed deploying a specific webshell and other techniques to maintain persistence in victim environments;\r\nhowever, in the days that followed, we observed a second unrelated campaign carry out successful attacks against the same\r\nvulnerability.\r\nAs early as Sept. 17 the actor leveraged leased infrastructure in the United States to scan hundreds of vulnerable\r\norganizations across the internet. Subsequently, exploitation attempts began on Sept. 22 and likely continued into early\r\nOctober. During that window, the actor successfully compromised at least nine global entities across the technology,\r\ndefense, healthcare, energy and education industries.\r\nFollowing initial exploitation, a payload was uploaded to the victim network which installed a Godzilla webshell. This\r\nactivity was consistent across all victims; however, we also observed a smaller subset of compromised organizations who\r\nsubsequently received a modified version of a new backdoor called NGLite. The threat actors then used either the webshell\r\nor the NGLite payload to run commands and move laterally to other systems on the network, while they exfiltrated files of\r\ninterest simply by downloading them from the web server. Once the actors pivoted to a domain controller, they installed a\r\nnew credential-stealing tool that we track as KdcSponge.\r\nBoth Godzilla and NGLite were developed with Chinese instructions and are publicly available for download on GitHub.\r\nWe believe threat actors deployed these tools in combination as a form of redundancy to maintain access to high-interest\r\nnetworks. Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret\r\nkey, executes decrypted content to carry out additional functionality and returns the result via a HTTP response. This allows\r\nattackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it.\r\nNGLite is characterized by its author as an “anonymous cross-platform remote control program based on blockchain\r\ntechnology.” It leverages New Kind of Network (NKN) infrastructure for its command and control (C2) communications,\r\nwhich theoretically results in anonymity for its users. It's important to note that NKN is a legitimate networking service that\r\nuses blockchain technology to support a decentralized network of peers. The use of NKN as a C2 channel is very\r\nuncommon. We have seen only 13 samples communicating with NKN altogether – nine NGLite samples and four related to\r\na legitimate open-source utility called Surge that uses NKN for file sharing.\r\nFinally, KdcSponge is a novel credential-stealing tool that is deployed against domain controllers to steal credentials.\r\nKdcSponge injects itself into the Local Security Authority Subsystem Service (LSASS) process and will hook specific\r\nfunctions to gather usernames and passwords from accounts attempting to authenticate to the domain via Kerberos. The\r\nmalicious code writes stolen credentials to a file but is reliant on other capabilities for exfiltration.\r\nPalo Alto Networks customers are protected against this campaign through the following:\r\nCortex XDR local analysis blocks the NGLite backdoor.\r\nAll known samples (Dropper, NGLite, KdcSponge) are classified as malware in WildFire.\r\nCortex Xpanse can accurately identify Zoho ManageEngine ADSelfServicePlus, ManageEngine Desktop Central or\r\nManageEngine ServiceDeskPlus Servers across customer networks.\r\nInitial Access\r\nBeginning on Sept. 17 and continuing through early October, we observed scanning against ManageEngine ADSelfService\r\nPlus servers. Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the\r\nUnited States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from\r\neducation to Department of Defense entities.\r\nUpon obtaining scan results, the threat actor transitioned to exploitation attempts on Sept. 22. These attempts focused on\r\nCVE-2021-40539, which allows for REST API authentication bypass with resultant remote code execution in vulnerable\r\ndevices. To achieve this result, the actors delivered uniquely crafted POST statements to the REST API LicenseMgr.\r\nWhile we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at\r\nleast nine entities across the technology, defense, healthcare, energy and education industries were compromised. Following\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 1 of 12\n\nsuccessful exploitation, the actor uploaded a payload which deployed a Godzilla webshell, thereby enabling additional\r\naccess to a victim network. The following leased IP addresses in the United States were observed interacting with\r\ncompromised servers:\r\n24.64.36[.]238\r\n45.63.62[.]109\r\n45.76.173[.]103\r\n45.77.121[.]232\r\n66.42.98[.]156\r\n140.82.17[.]161\r\n149.28.93[.]184\r\n149.248.11[.]205\r\n199.188.59[.]192\r\nFollowing the deployment of the webshell, which appears consistent across all victims, we also identified the use of\r\nadditional tools deployed in a subset of compromised networks. Specifically, the actors deployed a custom variant of an\r\nopen-source backdoor called NGLite and a credential-harvesting tool we track as KdcSponge. The following sections\r\nprovide detailed analysis of these tools.\r\nMalware\r\nAt the time of exploitation, two different executables were saved to the compromised server: ME_ADManager.exe and\r\nME_ADAudit.exe. The ME_ADManager.exe file acts as a dropper Trojan that not only saves a Godzilla webshell to the\r\nsystem, but also installs and runs the other executable saved to the system, specifically ME_ADAudit.exe. The\r\nME_ADAudit.exe executable is based on NGLite, which the threat actors use as their payload to run commands on the\r\nsystem.\r\nME_ADManager.exe Dropper\r\nAfter initial exploitation, the dropper is saved to the following path:\r\nc:\\Users\\[username]\\AppData\\Roaming\\ADManager\\ME_ADManager.exe\r\nAnalysis of this file revealed that the author of this payload did not remove debug symbols when building the sample. Thus,\r\nthe following debug path exists within the sample and suggests the username pwn was used to create this payload:\r\nc:\\Users\\pwn\\documents\\visual studio 2015\\Projects\\payloaddll\\Release\\cmd.pdb\r\nUpon execution, the sample starts off by creating the following generic mutex found in many code examples freely available\r\non the internet, which is meant to avoid running more than one instance of the dropper:\r\ncplusplus_me\r\nThe dropper then attempts to write a hardcoded Godzilla webshell, which we will provide a detailed analysis of later in this\r\nreport, to the following locations:\r\n../webapps/adssp/help/admin-guide/reports.jsp\r\nc:/ManageEngine/ADSelfService Plus/webapps/adssp/help/admin-guide/reports.jsp\r\n../webapps/adssp/selfservice/assets/fonts/lato/lato-regular.jsp\r\nc:/ManageEngine/ADSelfService Plus/webapps/adssp/selfservice/assets/fonts/lato/lato-regular.jsp\r\nThe dropper then creates the folder %APPDATA%\\ADManager and copies itself to\r\n%APPDATA%\\ADManager\\ME_ADManager.exe before creating the following registry keys to persistently run after\r\nreboot:\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\ME_ADManager.exe :\r\n%APPDATA%\\ADManager\\ME_ADManager.exe\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\ME_ADAudit.exe : %SYSTEM32%\\ME_ADAudit.exe\r\nThe dropper then copies ADAudit.exe from the current directory to the following path and runs the file with WinExec:\r\n%SYSTEM32%\\ME_ADAudit.exe\r\nThe dropper does not write the ME_ADAudit.exe file to disk, meaning the threat actor must upload this file to the server\r\nprior to the execution of the dropper, likely as part of the initial exploitation of the CVE-2021-40539 vulnerability. During\r\nour analysis of multiple incidents, we found that the ME_ADAudit.exe sample maintained a consistent SHA256 hash of\r\n805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f, therefore suggesting that the actor deployed the\r\nsame customized version of the NGLite backdoor against multiple targets.\r\nGodzilla Webshell\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 2 of 12\n\nAs mentioned previously, the initial dropper contains a Java Server Page (JSP) webshell hardcoded within it. Upon analysis\r\nof the webshell, it was determined to be the Chinese-language Godzilla webshell V3.00+. The Godzilla webshell was\r\ndeveloped by user BeichenDream, who stated they created this webshell because the ones available at the time would\r\nfrequently be detected by security products during red team engagements. As such, the author advertises it will avoid\r\ndetection by leveraging AES encryption for its network traffic and that it maintains a very low static detection rate across\r\nsecurity vendor products.\r\nFigure 1. Detections on VirusTotal for Godzilla webshells.\r\nIt’s no surprise that the Godzilla webshell has been adopted by regional threat groups during their intrusions, as it offers\r\nmore functionality and network evasion than other webshells used by the same groups, such as ChinaChopper.\r\nThe JSP webshell itself is fairly straightforward in terms of functionality and maintains a lightweight footprint. Its primary\r\nfunction is to parse an HTTP POST, decrypt the content with the secret key and then execute the payload. This allows\r\nattackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it.\r\nThe below image shows the initial part of the default JSP webshell as well as the decrypt function.\r\nFigure 2. Header of a default Godzilla JSP webshell.\r\nOf note are the variables xc and pass in the first and second lines of the code shown in Figure 2. These are the main\r\ncomponents that change each time an operator generates a new webshell, and the variables represent the secret key used for\r\nAES decryption within that webshell.\r\nWhen you generate the webshell manually, you specify a plaintext pass and key. By default, these are pass and key.\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 3 of 12\n\nFigure 3. Godzilla default webshell values.\r\nTo figure out how these are presented in the webshell itself, we can take a look at the Godzilla JAR file.\r\nBelow, you can see the code substitutes the strings in one of the embedded webshell templates under the\r\n/shells/cryptions/JavaAES/GenerateShellLoder function.\r\nFigure 4. GenerateShellLoder function in Generate.class file.\r\nThus we know the xc variable in the webshell will be the AES secret key, as indicated in the template.\r\nString xc=\"{secretKey}\"; String pass=\"{pass}\"; String md5=md5(pass+xc);\r\nWe observed that the xc value appears to be a hash, and under the /core/shell/ShellEntity.class file, we can see the code takes\r\nthe first 16 characters of the MD5 hash for a plaintext secret key.\r\npublic String getSecretKeyX()\r\n{\r\nreturn functions.md5(getSecretKey()).substring(0, 16);\r\n}\r\nWith that, we know then that the xc value of 3c6e0b8a9c15224a is the first 16 characters of the MD5 hash for the word key.\r\nGiven this, the xc and pass variables are the two primary fields that can be used for tracking and attempting to map activity\r\nacross incidents. For the purpose of this blog, we generated a Godzilla webshell with the default options for analysis;\r\nhowever, the only differences between the default one and the ones observed in attacks are different xc and pass values.\r\nOne important characteristic of this webshell is that the author touts the lack of static detection and has tried to make this file\r\nnot stand out through avoiding keywords or common structures that might be recognized by security product signatures. One\r\nparticularly interesting static evasion technique is the use of a Java ternary conditional operator to indicate decryption.\r\nThe conditional here is m?1:2 – m is a boolean value passed to this function, as shown previously in Figure 2. If m is True,\r\nthen the first expression constant (1) is used. Otherwise, the second (2) is passed. Referring to the Java documentation, 1 is\r\nENCRYPT_MODE, whereas 2 is DECRYPT_MODE.\r\nFigure 5. JavaX crypto constants meaning.\r\nWhen the webshell executes this function x, it does not set the value of m, thus forcing m to False and setting it to decrypt.\r\nresponse.getWriter().write(base64Encode(x(base64Decode(f.toString()), true)));\r\nTo understand the capabilities of Godzilla then, we can take a look in /shells/payloads/java/JavaShell.class. This class file\r\ncontains all of the functions provided to the operator. Below is an example of the getFile function.\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 4 of 12\n\nFigure 6. getFile function payload for Godzilla.\r\nPayload functions:\r\ngetFile\r\ndownloadFile\r\ngetBasicsInfo\r\nuploadFile\r\ncopyFile\r\ndeleteFile\r\nnewFile\r\nnewDir\r\ncurrentDir\r\ncurrentUserName\r\nbigFileUpload\r\nbigFileDownload\r\ngetFileSize\r\nexecCommand\r\ngetOsInfo\r\nmoveFile\r\ngetPayload\r\nfileRemoteDown\r\nsetFileAttr\r\nAs evidenced by the names of the functions, the Godzilla webshell offers numerous payloads for navigating remote systems,\r\ntransferring data to and from, remote command execution and enumeration.\r\nThese payloads will be encrypted with the secret key previously described, and the operating software will send an HTTP\r\nPOST to the compromised system containing the data.\r\nAdditionally, if we examine the core/ui/component/dialog/ShellSetting.class file (shown below), the initAddShellValue()\r\nfunction contains the default configuration settings for remote network access. Therefore, elements such as static HTTP\r\nheaders and User-Agent strings can be identified in order to aid forensic efforts searching web access logs for potential\r\ncompromise.\r\nprivate void initAddShellValue() {\r\nthis.shellContext = new ShellEntity();\r\nthis.urlTextField.setText(\"http://127.0.0.1/shell.jsp\");\r\nthis.passwordTextField.setText(\"pass\");\r\nthis.secretKeyTextField.setText(\"key\");\r\nthis.proxyHostTextField.setText(\"127.0.0.1\");\r\nthis.proxyPortTextField.setText(\"8888\");\r\nthis.connTimeOutTextField.setText(\"60000\");\r\nthis.readTimeOutTextField.setText(\"60000\");\r\nthis.remarkTextField.setText(\"??\");\r\nthis.headersTextArea.setText(\"User-Agent: Mozilla/5.0 (Windows NT\r\n10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0\\nAccept:\r\ntext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\\nAccept-Language:\r\nzh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\\n\");\r\nthis.leftTextArea.setText(\"\");\r\nthis.rightTextArea.setText(\"\");\r\n}\r\nTo illustrate, below is a snippet of the web server access logs that show the initial exploit using the Curl application and\r\nsending the custom URL payload to trigger the CVE-2021-40539 vulnerability. It then shows the subsequent access of the\r\nGodzilla webshell, which has been placed into the hardcoded paths by the initial dropper. By reviewing the User-Agent, we\r\ncan determine that the time from exploit to initial webshell access took just over four minutes for the threat actor.\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 5 of 12\n\n- /./RestAPI/LicenseMgr \"-\" X.X.X.X Y.Y.Y.Y POST [00:00:00] - - 200 \"curl/7.68.0\"\r\n- /help/admin-guide/reports.jsp \"-\" X.X.X.X Y.Y.Y.Y POST [+00:04:07] - - 200 \"Mozilla/5.0 (Windows NT 10.0; Win64;\r\nx64; rv:84.0) Gecko/20100101 Firefox/84.0\"\r\nCustom NGLite\r\nNGLite is an open-source backdoor written in the Go language (specifically Go version 1.13). It is available for download\r\nfrom a public GitHub repository. NGLite is a backdoor Trojan that is only capable of running commands received through\r\nits C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a\r\ndecentralized network based on the legitimate NKN to communicate between the backdoor and the actors.\r\nThe NKN touts that their decentralized network uses a public blockchain and can support communication between millions\r\nof peers, each of which are identified by a unique NKN address instead of the typical network identifiers, such as IP\r\naddresses. Therefore, the immediate IP address that the NGLite tool communicates with in its C2 channel is just a peer in the\r\ndecentralized network and is unlikely to represent the threat actor’s network location. This design makes detection and\r\nprevention of the NGLite C2 communication channel difficult.\r\nFortunately, the use of NKN as a C2 channel is very uncommon. We have seen only 13 samples communicating with NKN\r\naltogether – nine NGLite samples and four related to an open-source utility called Surge that uses NKN for file sharing.\r\nEight of the nine known NGLite samples were scanned by VirusTotal. Four were undetected, three were detected by one\r\nantivirus and the remaining sample was detected by five. This low detection rate suggests that NGLite had very little\r\nantivirus coverage during this attack campaign.\r\nAs mentioned in the previous section, the dropper creates registry keys and executes a custom variant of the NGLite\r\nbackdoor (SHA256: 805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f) saved at the following\r\npath:\r\nC:\\Windows\\system32\\ME_ADAudit.exe\r\nThe data structures within the Go-based backdoor contain the following path, which is used to store the main source code\r\nfor this custom variant of NGLite on the developers’ system:\r\n/mnt/hgfs/CrossC2-2.2/src/ng.com/lprey/main.go\r\nBased on this path, one might surmise that the actor used CrossC2 to build a cross platform Cobalt Strike C2 payload;\r\nhowever, we have no reason to believe that this payload is actually based on CrossC2, as the payload is a customized version\r\nof the publicly available NGLite backdoor.\r\nIt is possible that the threat actors included the CrossC2 string in the path as a misdirection, hoping to confuse threat analysts\r\ninto thinking they are delivering a Cobalt Strike payload. We have seen the following NGLite samples using this same\r\nsource code path dating back to Aug. 11, which suggests that this threat actor has been using this tool for several months:\r\n3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd\r\n5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755\r\n3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d\r\nThe custom NGLite sample used in this campaign checks the command line arguments for g or group value. If this switch is\r\nnot present, the payload will use the default string\r\n7aa7ad1bfa9da581a7a04489896279517eef9357b81e406e3aee1a66101fe824 in what NGLite refers to as its seed identifier.\r\nThe payload will create what it refers to as a prey id, which is generated by concatenating the MAC address of the system\r\nnetwork interface card (NIC) and IPv4 address, with a hyphen (-) separating the two. This prey identifier will be used in the\r\nC2 communications.\r\nThe NGLite payload will use the NKN decentralized network for C2 communications. See the NKN client configuration in\r\nthe sample below:\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 6 of 12\n\nFigure 7. Embedded NKN client configuration.\r\nThe sample first starts by reaching out to seed.nkn[.]org over TCP/30003, specifically with an HTTP POST request that is\r\nstructured as follows:\r\nFigure 8. Initial NKN HTTP POST.\r\nIt also will send HTTP POST requests with\r\nmonitor_03\r\nas the prey id, as seen in the following:\r\nFigure 9. HTTP Post containing “prey id.”\r\nThe seed.nkn[.]org server responds to this request with the [prey id (MAC-IPv4)] within the JSON structured as follows:\r\n{\"id\":\"nkn-sdk-go\",\"jsonrpc\":\"2.0\",\"result\":\r\n{\"addr\":\"66.115.12.89:30002\",\"id\":\"223b4f7f4588af02badaa6a83e402b33dea0ba8908e4cd6008f84c2b98a6a7de\",\"pubkey\":\"38ce48a2a3cffded7c2031514\r\nThis suggests the payload will communicate with the peer at 66.115.12.89 over TCP/30003. The seed.nkn[.]org server then\r\nresponds to the monitor_03 request with the following, which suggests the payload will communicate with 54.204.73.156\r\nover TCP/30003:\r\n{\"id\":\"nkn-sdk-go\",\"jsonrpc\":\"2.0\",\"result\":\r\n{\"addr\":\"54.204.73.156:30002\",\"id\":\"517cb8112456e5d378b0de076e85e80afee3c483d18c30187730d15f18392ef9\",\"pubkey\":\"99bb5d3b9b609a31c75fde\r\nAfter obtaining the response from seed.nkn[.]org, the payload will issue an HTTP GET request to the IP address and TCP\r\nport provided in the addr field within the JSON. These HTTP requests will appear as follows, but keep in mind that these\r\nsystems are not actor-controlled; rather, they are just the first peer in a chain of peers that will eventually return the actor’s\r\ncontent:\r\nFigure 10. NKN peering.\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 7 of 12\n\nEventually, the network communications between the custom NGLite client and server are encrypted using AES with the\r\nfollowing key:\r\nWHATswrongwithUu\r\nThe custom NGLite sample will start by sending the C2 an initial beacon that contains the result of the whoami command\r\nwith the string #windows concatenated, as seen in the following:\r\n[username]#windows\r\nAfter sending the initial beacon, the NGLite sample will run a sub-function called Preylistener that creates a server that\r\nlistens for inbound requests. The sample will also listen for inbound communications and will attempt to decrypt them using\r\na default AES key of 1234567890987654. It will run the decrypted contents as a command via the Go method\r\nos/exec.Command. The results are then encrypted using the same AES key and sent back to the requester.\r\nPost-exploitation Activity\r\nUpon compromising a network, the threat actor moved quickly from their initial foothold to gain access to other systems on\r\nthe target networks by running commands via their NGLite payload and the Godzilla webshell. After gaining access to the\r\ninitial server, the actors focused their efforts on gathering and exfiltrating sensitive information from local domain\r\ncontrollers, such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry. Shortly after, we\r\nobserved the threat actors installing the KdcSponge credential stealer, which we will discuss in detail next. Ultimately, the\r\nactor was interested in stealing credentials, maintaining access and gathering sensitive files from victim networks for\r\nexfiltration.\r\nCredential Harvesting and KdcSponge\r\nDuring analysis, Unit 42 found logs that suggest the threat actors used PwDump and the built-in comsvcs.dll to create a mini\r\ndump of the lsass.exe process for credential theft; however, when the actor wished to steal credentials from a domain\r\ncontroller, they installed their custom tool that we track as KdcSponge.\r\nThe purpose of KdcSponge is to hook API functions from within the LSASS process to steal credentials from inbound\r\nattempts to authenticate via the Kerberos service (“KDC Service”). KdcSponge will capture the domain name, username and\r\npassword to a file on the system that the threat actor would then exfiltrate manually through existing access to the server.\r\nWe know of two KdcSponge samples, both of which were named user64.dll. They had the following SHA256 hashes:\r\n3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090\r\nb4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665\r\nTo launch the KdcSponge credential stealer, the threat actor will run the following command to load and execute the\r\nmalicious module:\r\nregsvr32 /s user64.dll\r\nUpon first execution, the regsvr32 application runs the DllRegisterServer function exported by user64.dll. The\r\nDllRegisterServer function resolves the SetSfcFileException function within sfc_os.dll and attempts to disable Windows\r\nFile Protection (WFP) on the c:\\windows\\system32\\kdcsvc.dll file. It then attempts to inject itself into the running lsass.exe\r\nprocess by:\r\n1. Opening the lsass.exe process using OpenProcess.\r\n2. Allocating memory in the remote process using VirtualAllocEx.\r\n3. Writing the string user64.dll to the allocated memory using WriteProcessMemory.\r\n4. Calling LoadLibraryA within the lsass.exe process with user64.dll as the argument, using RtlCreateUserThread.\r\nNow that user64.dll is running within the lsass.exe process, it will start by creating the following registry key to establish\r\npersistence through system reboots:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\KDC Service : regsvr32 /s\r\nuser64.dll\r\nFrom there, the sample will check to make sure the system is running a Kerberos service by attempting to obtain a handle to\r\none of the following modules:\r\nkdcsvc.dll\r\nkdccli.dll\r\nKdcsvs.dll\r\nKdcSponge tries to locate three undocumented API functions – specifically KdcVerifyEncryptedTimeStamp,\r\nKerbHashPasswordEx3 and KerbFreeKey – using the following three methods:\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 8 of 12\n\n1. Identifies the version of Kerberos module and uses hardcoded offsets to API functions to hook.\r\n2. Reaches out to Microsoft’s symbol server to find the offset to API functions within Kerberos module and confirms\r\nthe correct functions by comparing to hardcoded byte sequences.\r\n3. Searches the Kerberos module for hardcoded byte sequences.\r\nThe primary method in which KdcSponge locates the API functions to hook is based on determining the version of the\r\nKerberos module based on the TimeDateStamp value within the IMAGE_FILE_HEADER section of the portable executable\r\n(PE) file. Once the version of the Kerberos module is determined, KdcSponge has hardcoded offsets that it will use to hook\r\nthe appropriate functions within that version of the module. KdcSponge looks for the following TimeDateStamp values:\r\n2005-12-14 01:24:41\r\n2049-10-09 00:46:34\r\n2021-04-08 07:30:26\r\n2021-03-04 04:59:27\r\n2020-03-13 03:20:15\r\n2020-02-19 07:55:57\r\n2019-12-19 04:15:06\r\n2019-07-09 03:15:04\r\n2019-05-31 06:02:30\r\n2018-10-10 07:46:08\r\n2018-02-12 21:47:29\r\n2017-03-04 06:27:32\r\n2016-10-15 03:52:20\r\n2020-11-26 03:04:23\r\n2020-06-05 16:15:22\r\n2017-10-14 07:22:03\r\n2017-03-30 19:53:59\r\n2013-09-04 05:49:27\r\n2012-07-26 00:01:13\r\nIf KdcSponge was unable to determine the version of the Kerberos module and the domain controller is running Windows\r\nServer 2016 or Server 2019 (major version 10), the payload will reach out to Microsoft's symbol server\r\n(msdl.microsoft.com) in an attempt to find the location of several undocumented API functions. The sample will issue an\r\nHTTPS GET request to a URL structured as follows, with the GUID portion of the URL being the GUID value from the\r\nRSDS structure in the IMAGE_DEBUG_TYPE_CODEVIEW section of the PE:\r\n/download/symbols/[library name].pdb/[GUID]/[library name].pdb\r\nThe sample will save the results to a file in the following location, again with the GUID for the filename being the GUID\r\nvalue from the RSDS structure in the IMAGE_DEBUG_TYPE_CODEVIEW section:\r\nALLUSERPROFILE\\Microsoft\\Windows\\Caches\\[GUID].db:\r\nAs mentioned above, we believe the reason the code reaches out to the symbol server is to find the locations of three\r\nundocumented Kerberos-related functions: KdcVerifyEncryptedTimeStamp, KerbHashPasswordEx3 and KerbFreeKey. The\r\nsample is primarily looking for these functions in the following libraries:\r\nkdcsvc.KdcVerifyEncryptedTimeStamp\r\nkdcsvc.KerbHashPasswordEx3\r\nkdcpw.KerbHashPasswordEx3\r\nkdcsvc.KerbFreeKey\r\nkdcpw.KerbFreeKey\r\nIf these functions are found, the sample searches for specific byte sequences, as seen in Table 1, to confirm the functions are\r\ncorrect and to validate they have not been modified.\r\nFunction Hex bytes\r\nkdcsvc.KdcVerifyEncryptedTimeStamp\r\n48 89 5c 24 20 55 56 57 41 54 41 55 41 56 41 57 48 8d 6c 24 f0 48 81 ec 10\r\n01 00 00 48 8b 05 a5\r\nkdcsvc.KerbHashPasswordEx3 \r\n48 89 5c 24 08 48 89 74 24 10 48 89 7c 24 18 55 41 56 41 57 48 8b ec 48 83\r\nec 50 48 8b da 48 8b\r\nkdcpw.KerbHashPasswordEx3\r\n48 89 5c 24 08 48 89 74 24 10 48 89 7c 24 18 55 41 56 41 57 48 8b ec 48 83\r\nec 50 48 8b da 48 8b\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 9 of 12\n\nkdcpw.KerbFreeKey \r\n48 89 5c 24 08 57 48 83 ec 20 48 8b d9 33 c0 8b 49 10 48 8b 7b 18 f3 aa 48\r\n8b 4b 18 ff 15 72 19\r\nkdcsvc.KerbFreeKey\r\n48 89 5c 24 08 57 48 83 ec 20 48 8b 79 18 48 8b d9 48 85 ff 0f 85 00 c5 01\r\n00 33 c0 48 89 03 48\r\nTable 1. Undocumented functions and byte sequences used by KdcSponge to confirm the correct functions for Windows major version 10.\r\nIf the domain controller is running Windows Server 2008 or Server 2012 (major version 6), KdcSponge does not reach out\r\nto the symbol server and instead will search the entire kdcsvc.dll module for the byte sequences listed in Table 2 to find the\r\nAPI functions.\r\nFunction Hex bytes\r\nkdcsvc.KdcVerifyEncryptedTimeStamp\r\n48 89 5C 24 20 55 56 57 41 54 41 55 41 56 41 57 48 8D 6C 24 F9 48 81 EC\r\nC0 00 00 00 48 8B\r\nkdcsvc.KerbHashPasswordEx3\r\n48 89 5C 24 08 48 89 74 24 10 48 89 7C 24 18 55 41 56 41 57 48 8B EC 48\r\n83 EC 40 48 8B F1\r\nkdcsvc.KerbFreeKey\r\n40 53 48 83 EC 20 48 8B D9 48 8B 49 10 48 85 C9 0F 85 B4 B9 01 00 33\r\nC0 48 89 03 48 89 43\r\nTable 2. Undocumented functions and byte sequences used by KdcSponge to locate the sought after functions.\r\nOnce the KdcVerifyEncryptedTimeStamp, KerbHashPasswordEx3 and KerbFreeKey functions are found, the sample will\r\nattempt to hook these functions to monitor all calls to them with the intention to steal credentials. When a request to\r\nauthenticate to the domain controller comes in, these functions in the Kerberos service (KDC service) are called, and the\r\nsample will capture the inbound credentials. The credentials are then written to disk at the following location:\r\n%ALLUSERPROFILE%\\Microsoft\\Windows\\Caches\\system.dat\r\nThe stolen credentials are encrypted with a single-byte XOR algorithm using 0x55 as the key and written to the system.dat\r\nfile one per line in the following structure:\r\n[\u003ctimestamp\u003e]\u003cdomain\u003e\u003cusername\u003e \u003ccleartext password\u003e\r\nAttribution\r\nWhile attribution is still ongoing and we have been unable to validate the actor behind the campaign, we did observe some\r\ncorrelations between the tactics and tooling used in the cases we analyzed and Threat Group 3390 (TG-3390, Emissary\r\nPanda, APT27).\r\nSpecifically, as documented by SecureWorks in an article on a previous TG-3390 operation, we can see that TG-3390\r\nsimilarly used web exploitation and another popular Chinese webshell called ChinaChopper for their initial footholds before\r\nleveraging legitimate stolen credentials for lateral movement and attacks on a domain controller. While the webshells and\r\nexploits differ, once the actors achieved access into the environment, we noted an overlap in some of their exfiltration\r\ntooling.\r\nSecureWorks stated the actors were using WinRar masquerading as a different application to split data into RAR archives\r\nwithin the Recycler directory. They provided the following snippet from a Batch file deployed to do this work:\r\n@echo off\r\nc:\\windows\\temp\\svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014 “e:\\recycler\\REDACTED.rar”\r\n“e:\\ProgramData\\REDACTED\\”\r\nExit\r\nFrom our analysis of recent attacks on ManageEngine ADSelfService Plus, we observed the same technique – with the same\r\norder and placement of the parameters passed to a renamed WinRar application.\r\n@echo off\r\ndir %~dp0\u003e\u003e%~dp0\\log.txt\r\n%~dp0\\vmtools.exe a -k -r -s -m5 -v4096000 -pREDACTED \"e:\\$RECYCLE.BIN\\REDACTED.rar\"\r\n\"E:\\Programs\\REDACTED\\REDACTED\"\r\nOnce the files had been staged, in both cases they were then made accessible on externally facing web servers. The threat\r\nactors would then download them through direct HTTP GET requests.\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 10 of 12\n\nIn September 2021, Unit 42 observed an attack campaign in which the actors gained initial access to targeted organizations\r\nby exploiting a recently patched vulnerability in Zoho’s ManageEngine product, ADSelfService Plus, tracked in CVE-2021-\r\n40539. At least nine entities across the technology, defense, healthcare, energy and education industries were compromised\r\nin this attack campaign.\r\nAfter exploitation, the threat actor quickly moved laterally through the network and deployed several tools to run commands\r\nin order to carry out their post-exploitation activities. The actor heavily relies on the Godzilla webshell, uploading several\r\nvariations of the open-source webshell to the compromised server over the course of the operation. Several other tools have\r\nnovel characteristics or have not been publicly discussed as being used in previous attacks, specifically the NGLite backdoor\r\nand the KdcSponge stealer. For instance, the NGLite backdoor uses a novel C2 channel involving the decentralized network\r\nknown as the NKN, while the KdcSponge stealer hooks undocumented functions to harvest credentials from inbound\r\nKerberos authentication attempts to the domain controller.\r\nUnit 42 believes that the actor’s primary goal involved gaining persistent access to the network and the gathering and\r\nexfiltration of sensitive documents from the compromised organization. The threat actor gathered sensitive files to a staging\r\ndirectory and created password-protected multi-volume RAR archives in the Recycler folder. The actor exfiltrated the files\r\nby directly downloading the individual RAR archives from externally facing web servers.\r\nThe following coverages across the Palo Alto Networks platform pertain to this incident:\r\nThreat Prevention signature ZOHO corp ManageEngine Improper Authentication Vulnerability was released on Sept.\r\n20 as threat ID 91676.\r\nNGLite backdoor is blocked by Cortex XDR’s local analysis.\r\nAll known samples (Dropper, NGLite, KdcSponge) are classified as malware in WildFire.\r\nCortex Xpanse can accurately identify Zoho ManageEngine ADSelfServicePlus, ManageEngine Desktop Central, or\r\nManageEngine ServiceDeskPlus Servers across customer networks.\r\nIf you think you may have been impacted, please email unit42-investigations@paloaltonetworks.com or call (866) 486-4842\r\n– (866) 4-UNIT42 – for U.S. toll free, (31-20) 299-3130 in EMEA or (65) 6983-8730 in JAPAC. The Unit 42 Incident\r\nResponse team is available 24/7/365.\r\nSpecial thanks to Unit 42 Consulting Services and the NSA Cybersecurity Collaboration Center for their partnership,\r\ncollaboration and insights offered in support of this research.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber\r\nThreat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to\r\nsystematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nDropper SHA256\r\nb2a29d99a1657140f4e254221d8666a736160ce960d06557778318e0d1b7423b\r\n5fcc9f3b514b853e8e9077ed4940538aba7b3044edbba28ca92ed37199292058\r\nNGLite SHA256\r\n805b92787ca7833eef5e61e2df1310e4b6544955e812e60b5f834f904623fd9f\r\n3da8d1bfb8192f43cf5d9247035aa4445381d2d26bed981662e3db34824c71fd\r\n5b8c307c424e777972c0fa1322844d4d04e9eb200fe9532644888c4b6386d755\r\n3f868ac52916ebb6f6186ac20b20903f63bc8e9c460e2418f2b032a207d8f21d\r\nGodzilla Webshell SHA256\r\na44a5e8e65266611d5845d88b43c9e4a9d84fe074fd18f48b50fb837fa6e429d\r\nce310ab611895db1767877bd1f635ee3c4350d6e17ea28f8d100313f62b87382\r\n75574959bbdad4b4ac7b16906cd8f1fd855d2a7df8e63905ab18540e2d6f1600\r\n5475aec3b9837b514367c89d8362a9d524bfa02e75b85b401025588839a40bcb\r\nKdcSponge SHA256\r\n3c90df0e02cc9b1cf1a86f9d7e6f777366c5748bd3cf4070b49460b48b4d4090\r\nb4162f039172dcb85ca4b85c99dd77beb70743ffd2e6f9e0ba78531945577665\r\nThreat Actor IP Addresses\r\n24.64.36[.]238\r\n45.63.62[.]109\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 11 of 12\n\n45.76.173[.]103\r\n45.77.121[.]232\r\n66.42.98[.]156\r\n140.82.17[.]161\r\n149.28.93[.]184\r\n149.248.11[.]205\r\n199.188.59[.]192\r\nRegistry Keys\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\ME_ADManager.exe\r\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run\\ME_ADAudit.exe\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\KDC Service\r\nSource: https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nhttps://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" ], "report_names": [ "manageengine-godzilla-nglite-kdcsponge" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434658, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c713ae6754abf28715160fc22c2281d711d7783c.pdf", "text": "https://archive.orkl.eu/c713ae6754abf28715160fc22c2281d711d7783c.txt", "img": "https://archive.orkl.eu/c713ae6754abf28715160fc22c2281d711d7783c.jpg" } }