{ "id": "d4e1c092-a263-41b1-86f0-c4f8555f8346", "created_at": "2026-04-06T00:12:27.441587Z", "updated_at": "2026-04-10T03:24:24.029385Z", "deleted_at": null, "sha1_hash": "caa8e8cd48b15601201bea12fa235d83961301b6", "title": "Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1357591, "plain_text": "Attackers Exploiting WebLogic Servers via CVE-2020-14882 to install\r\nCobalt Strike\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 12:44:31 UTC\r\nStarting late last week, we observed a large number of scans against our WebLogic honeypots to detect if they are vulnerable\r\nto CVE-2020-14882. CVE-2020-14882 was patched about two weeks ago as part of Oracle's quarterly critical patch update.\r\nIn addition to scans simply enumerating vulnerable servers, we saw a small number of scans starting on Friday (Oct. 30th)\r\nattempting to install crypto-mining tools [1].\r\nOn Friday, Oracle amended its patch for CVE-2020-14882 [2]. A new variation of the vulnerability (CVE-2020-14750) can\r\nbe used to exploit WebLogic servers with a trivial modification of the exploit code.\r\nLast Saturday we started seeing a campaign using a chain of Powershell obfuscated scripts to download a Cobalt Strike\r\npayload. According to Cisco Talos Q4 2020 CTIR report, 66% of all ransomware attacks this quarter involved the use of\r\nCobalt Strike [3]. Thus, as expected, there is a high probability ransomware gang included CVE-2020-14882 exploit in their\r\narsenal. \r\nThe attack, as seen in Figure 1, exploits the vulnerability to execute a PowerShell payload base64-encoded. \r\nFigure 1 - Payload delivery\r\nDecoding the base64 content, we can find the following code. As seen, there is another encoding layer using base64 and\r\ngzip compression. I usually make some adjustments to the original malicious script to make it save the decoded content to a\r\nfile. So, replacing “IEX” by “$content =” and appending the script with “$content |out-file -filepath decoded_script.ps1” is\r\nenough to accomplish this result for this case.\r\nhttps://isc.sans.edu/diary/26752\r\nPage 1 of 3\n\nFigure 2 - First stage decoding\r\nPart of the resulting code is shown in Figure 3. Notice that there is another protected code. There is a loop decrypting each\r\nbyte of the code using an XOR function with the byte 0x35. \r\nFigure 3 - Second stage decoding\r\nThe result of this operation is a shellcode to download and execute a Cobalt Strike payload hosted at\r\nhttp://185[.]205.210.179:4321/Z8qZ.\r\nFigure 4 - Cobalt Strike payload download\r\nSubmitting the binary to VirusTotal, we had the following result:\r\nhttps://isc.sans.edu/diary/26752\r\nPage 2 of 3\n\n]\r\nFigure 5 - Cobalt Strike payload submitted to Virus Total\r\nRunning the malicious scripts in a controlled environment, it was possible to see connections established from time to time\r\nwith the C2 at http://185[.]205.210.179/en_US/all.js.\r\nReferences\r\n[1] https://isc.sans.edu/forums/diary/PATCH+NOW+CVE202014882+Weblogic+Actively+Exploited+Against+Honeypots/267\r\n[2] https://www.oracle.com/security-alerts/alert-cve-2020-14750.html#AppendixFMWl\r\n[3] https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html\r\nIOCs:\r\nNetwork:\r\n45[.]134.26.174\r\nhttp://185[.]205.210.179:4321/Z8qZ\r\nhttp://185[.]205.210.179/en_US/all.js\r\nFiles:\r\nZ8qZ: \r\n8ca0251bc340fc207e6f832eb6165b8d (MD5)\r\n8f4654952833b7d7b7db02ca7cb6c2f6cb9c3c545dc51124b0f18588b3c4e1c0 (SHA256)\r\nThe malicious requests are available at https://isc.sans.edu/WebLogicPS.log.zip\r\n--\r\nRenato Marinho\r\nMorphus Labs| LinkedIn|Twitter\r\nSource: https://isc.sans.edu/diary/26752\r\nhttps://isc.sans.edu/diary/26752\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://isc.sans.edu/diary/26752" ], "report_names": [ "26752" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434347, "ts_updated_at": 1775791464, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/caa8e8cd48b15601201bea12fa235d83961301b6.pdf", "text": "https://archive.orkl.eu/caa8e8cd48b15601201bea12fa235d83961301b6.txt", "img": "https://archive.orkl.eu/caa8e8cd48b15601201bea12fa235d83961301b6.jpg" } }