INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
Critical Cisco SD-WAN Bug Exploited in Zero-Day Attacks
| 2026-05-14 16:02 CRITICAL HIGHExecutive Summary AI-generated
The recent discovery of CVE-2026-20182 in Cisco's SD-WAN systems has sent shockwaves through the cybersecurity community, particularly among nation-state actors. This critical vulnerability allows hackers to exploit an authentication bypass bug that had been previously patched by Rapid7, a leading security firm. The fact that this issue was not discovered until May 14th and had already been exploited overnight raises concerns about the speed at which vulnerabilities can be pushed into production environments. As a result, CISA has issued an emergency directive for all federal agencies to patch the exploit as soon as possible, emphasizing the importance of timely action in preventing potential attacks.
Technical Mitigations AI-generated
* Implement a secure patching process: Ensure that all affected Cisco SD-WAN systems receive the latest security patches as soon as possible, ideally within the specified deadline of Sunday.
* Monitor network logs and perform regular vulnerability scans: Regularly review network logs to detect any suspicious activity or potential vulnerabilities. Perform thorough vulnerability scanning on all affected systems to identify and remediate any weaknesses.
* Implement additional security controls: Consider implementing additional security controls such as multi-factor authentication, intrusion detection and prevention systems (IDPS), and secure access control mechanisms to further protect against unauthorized access.
* Conduct a thorough risk assessment and implement mitigation strategies: Conduct a comprehensive risk assessment of the affected network and implement mitigation strategies such as encryption, firewalls, and secure communication protocols to minimize the impact of any potential security breaches.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Cobalt StrikeCobalt Strike
CVE-2022-20775CVE-2022-20775
CVE-2026-20122CVE-2026-20122
CVE-2026-20182CVE-2026-20182
CVE-2026-20128CVE-2026-20128
CVE-2026-20127CVE-2026-20127
CVE-2026-20133CVE-2026-20133
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
FIVE_EYES
FIVE_EYES
technologytechnology
Incident Timeline
February
2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild.
February 2026
Threat actors exploited a Cisco SD-WAN bug in the wild.
March 3, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild.
at least March 3, 2026
Threat actors exploited a maximum severity Cisco SD-WAN bug in the wild, targeting Cluster 4.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20133
Cluster 4
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 3, 2026.
vulnerability
CVE-2026-20128
Cluster 4
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 3, 2026.
vulnerability
CVE-2026-20122
Cluster 4
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 3, 2026.
general_metric
4 Cluster
Cluster 4
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 3, 2026.
March 4, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild.
at least March 4, 2026
Threat actors exploited a maximum severity Cisco SD-WAN bug in the wild, targeting Cluster 3.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20133
Cluster 3
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 4, 2026.
vulnerability
CVE-2026-20128
Cluster 3
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 4, 2026.
vulnerability
CVE-2026-20122
Cluster 3
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 4, 2026.
general_metric
3 Cluster
Cluster 3
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 4, 2026.
March 5, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild.
at least March 5, 2026
Threat actors exploited a Cisco SD-WAN bug to gain access through an open SSH service on port 22.
Click on any entity below to view its context and source!
malware
Sliver
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
observable
fece5b954e69b2c6a8d0a1029631a0d7
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
organisation
CWan
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
general_metric
31337 port
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
general_metric
22 port
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
infrastructure
6 server Cluster
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
March 6, 2026
Threat actors exploited a maximum severity Cisco SD-WAN bug in the wild.
at least March 6, 2026
Threat actors exploited a maximum severity Cisco SD-WAN bug in the wild, targeting at least one cluster since March 6, 2026.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20133
Cluster 1
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 6, 2026.
vulnerability
CVE-2026-20128
Cluster 1
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 6, 2026.
vulnerability
CVE-2026-20122
Cluster 1
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 6, 2026.
general_metric
1 Cluster
Cluster 1
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 since at least March 6, 2026.
March 10, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild.
at least March 10, 2026
Threat actors exploited a maximum severity Cisco SD-WAN bug in the wild, targeting at least two clusters that had been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since March 10, 2026.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20133
Cluster 2
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 10, 2026.
vulnerability
CVE-2026-20128
Cluster 2
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 10, 2026.
vulnerability
CVE-2026-20122
Cluster 2
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 10, 2026.
general_metric
2 Cluster
Cluster 2
This cluster has been actively exploiting CVE-2026-20133, CVE-2026-20128, and CVE-2026-20122 since at least March 10, 2026.
as early as March 10, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in Cluster 8.
Click on any entity below to view its context and source!
general_metric
8 Attacker
Cluster 8
Activity observed in Cluster 8 began as early as March 10, 2026.
March 13, 2026
Threat actors exploited a publicly available red team framework to deploy malware on Cisco SD-WAN Cluster 5.
Click on any entity below to view its context and source!
general_metric
5 AdaptixC2
Cluster 5
Talos observed the deployment, beginning March 13, 2026, of a malware agent compiled off the publicly available
AdaptixC2
red team framework.
Mar 13, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild.
March 2026
Threat actors exploited a previously disclosed vulnerability, CVE-2026-20133.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20133
Talos is also aware of a series of threat actors, distinct from UAT-8616, that have been observed to be exploiting a different, previously disclosed set of vulnerabilities, in a new way than previously identified, beginning March 2026 - specifically
CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122.
We have identified multiple clusters of post-compromise activity, beginning March 2026, associated with the exploitation of CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 that deployed webshells and other malicious tooling, described in this post.
vulnerability
CVE-2026-20128
Talos is also aware of a series of threat actors, distinct from UAT-8616, that have been observed to be exploiting a different, previously disclosed set of vulnerabilities, in a new way than previously identified, beginning March 2026 - specifically
CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122.
We have identified multiple clusters of post-compromise activity, beginning March 2026, associated with the exploitation of CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 that deployed webshells and other malicious tooling, described in this post.
vulnerability
CVE-2026-20122
Talos is also aware of a series of threat actors, distinct from UAT-8616, that have been observed to be exploiting a different, previously disclosed set of vulnerabilities, in a new way than previously identified, beginning March 2026 - specifically
CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122.
We have identified multiple clusters of post-compromise activity, beginning March 2026, associated with the exploitation of CVE-2026-20133, CVE-2026-20128 and CVE-2026-20122 that deployed webshells and other malicious tooling, described in this post.
March 17, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild.
at least March 17, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug in the wild by deploying an XMRig miner and a peer-based proxying and tunneling tool.
Click on any entity below to view its context and source!
general_metric
9 gsocket
Cluster 9
In this cluster, since at least March 17, 2026, Talos observed the deployment of an XMRig miner and a peer-based proxying and tunneling tool.
March 25, 2026
Threat actors exploited a maximum severity Cisco SD-WAN bug in the wild.
at least March 25, 2026
Threat actors exploited a Cisco SD-WAN bug in the wild by downloading and deploying an XMRig sample via a shell script from "83.229.126[.]195".
Click on any entity below to view its context and source!
general_metric
7 XMRig
Cluster 7
In this cluster of activity, since at least March 25, 2026, an XMRig sample and its accompanying configuration file were downloaded and deployed via a shell script from the remote location “83.229.126[.]195”.
March 28, 2026
Threat actors exploited a Maximum Severity Cisco SD-WAN bug on the "194[.]163[.]175[.]135" IP address, using it as a Mythic C2 server to target another compromised system.
Click on any entity below to view its context and source!
malware
Sliver
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
observable
fece5b954e69b2c6a8d0a1029631a0d7
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
organisation
CWan
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
general_metric
31337 port
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
general_metric
22 port
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
infrastructure
6 server Cluster
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
2026/05/14
Threat actors exploited a Maximum Severity Cisco SD-WAN bug by using the peering authentication mechanism.
March to April 2026
Threat actors exploited the unpatched Cisco SD-WAN systems from March to April 2026.
2026/02/10T22:51:36+
Threat actors exploited a Maximum Severity Cisco SD-WAN bug by using the "Accepted publickey for vmanage-admin" authentication mechanism to gain unauthorized access through an SSH connection.
Click on any entity below to view its context and source!
observable
auth.log
The company says that admins should review
/var/log/auth.log
for entries showing "Accepted publickey for vmanage-admin" from unknown IP addresses:
2026-02-10T22:51:36+00:00 vm sshd[804]: Accepted publickey for vmanage-admin from port
2026/05/15
Threat actors exploited a maximum severity Cisco SD-WAN bug in the wild, targeting CVE-2026-20182.
Click on any entity below to view its context and source!
organisation
SD-WAN vSmart
Cisco Talos is tracking the active exploitation of
CVE-2026-20182
, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
“A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.”
reads the advisory
.
organisation
SD-WAN vManage
Cisco Talos is tracking the active exploitation of
CVE-2026-20182
, an authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage.
“A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.”
reads the advisory
.
organisation
ITW
UAT-8616 in-the-wild (ITW) exploitation of CVE-2026-20182
organisation
Security Advisory
Customers are strongly advised to follow the guidance and recommendations published in
Cisco's Security Advisory on CVE-2026-20182
.
organisation
CVSS
Hackers Leverage Critical Bugs in Cisco Catalyst
Not only is CVE-2026-20182 not the first vulnerability discovered in Cisco Catalyst this year, it isn't even the first authentication bypass vulnerability with a "critical" 10 score on the CVSS scale.
organisation
Breaks a Pen Test
Organizations
Related:
Why Security Leadership Makes or Breaks a Pen Test
Organizations that hope to avoid UAT-8616 should implement Cisco's newly released
patch
for CVE-2026-20182.
organisation
Catalyst SD-WAN Controller
Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrative privileges on compromised devices.
Cisco fixed CVE-2026-20182, a flaw in SD-WAN control connection handshaking and peering authentication in Catalyst SD-WAN Controller (vSmart) and Manager (vManage).
organisation
Cisco Catalyst SD-WAN
CVE-2026-20182 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.
“A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, and Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.”
reads the advisory
.
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities.
organisation
Cisco Catalyst SD-WAN Controller
CVE-2026-20182 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.
A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account.
organisation
SD-WAN Cloud
CVE-2026-20182 has a maximum severity of 10.0 and impacts Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager in on-prem and SD-WAN Cloud deployments.
organisation
Cisco CVE-2026-20182
An attacker could exploit this vulnerability by sending crafted requests to the affected system," reads the
Cisco CVE-2026-20182 advisory
.
infrastructure
1.1.1
Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005
Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182.
infrastructure
192.168.3
Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005
Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182.
organisation
SD-WAN
Cisco fixed CVE-2026-20182, a flaw in SD-WAN control connection handshaking and peering authentication in Catalyst SD-WAN Controller (vSmart) and Manager (vManage).
“An SD-WAN controller is a great place to do that, because it lives in the middle of trust relationships most organizations rarely question.”
UAT-8616 previously exploited a similar vulnerability in Cisco Catalyst SD-WAN Controller,
CVE-2026-20127
to gain unauthorized access to SD-WAN systems.
A highly sophisticated threat actor is exploiting a critical vulnerability in Cisco Catalyst Software-Defined Wide Area Network (SD-WAN) Controllers.
Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks.
organisation
CVE-2026
Cisco fixed CVE-2026-20182, a flaw in SD-WAN control connection handshaking and peering authentication in Catalyst SD-WAN Controller (vSmart) and Manager (vManage).
In-the-wild (ITW) exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128
organisation
DTLS
Rapid7 researchers said CVE-2026-20182 resembles the previously exploited
CVE-2026-20127
, another critical authentication bypass in Cisco’s SD-WAN vdaemon service over DTLS on UDP port 12346.
organisation
SSH
“This impact however is the same, a remote unauthenticated attacker can leverage CVE-2026-20182 to become an authenticated peer of the target appliance, and perform privileged operations, such as injecting an attacker controlled public key into the vmanage-admin user account’s authorized SSH keys file.
UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.
This time around, the researchers observed the threat actor performing "similar post-compromise actions" after winning initial access, including adding SSH keys to targeted systems, modifying NETCONF configurations, and escalating to root.
infrastructure
7 IP Cluster
89.125.244[.]51
Cluster 2
Cluster 3
Cluster 4
38.60.214[.]92
65.20.67[.]134
104.233.156[.]1
194.233.100[.]40
Cluster 5 - AdaptixC2
f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1
Cluster 5 - AdaptixC2 C2 server
194[.]163[.]175[.]135:4445
Cluster 5 - AdaptixC2 C2 IP
Cluster 6 - Sliver
02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8
Cluster 6 - Sliver C2 over mTLS
mtls[://]23.27.143[.]170:443
Cluster 6 - Sliver C2 IP
Cluster 7 - XMRig downloader script
0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0
Cluster 7 - XMRig sample
96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46
Cluster 7 - XMRig configuration
7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1
Cluster 7 - XMRig remote location IP
Cluster 7 - XMRig remote URL
hxxp://83[.]229[.]126[.]195:8081/xmrig
Cluster 7 - XMRig configuration file remote location
hxxp://83[.]229[.]126[.]195:8081/config[.]json
Cluster 8 - Nim-based backdoor
0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d
Cluster 8 - Download URL for the Nim-based backdoor
hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev/download
Cluster 8 - Attacker controlled sub-domain hosting the Nim-based backdoor
a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev
Cluster 8 - Attacker IP that downloaded the Nim-based backdoor
Cluster 8 - C2 for Nim-based backdoor
hxxp://13[.]62[.]52[.]206:5004
Cluster 8 - C2 IP for Nim-based backdoor
18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80
Cluster 9 - gsocket
d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
Cluster 9 - gsocket secret file
5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8
b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3
Cluster 10 - Check for root escalation
72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060
17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925
infrastructure
8 based Download URL
89.125.244[.]51
Cluster 2
Cluster 3
Cluster 4
38.60.214[.]92
65.20.67[.]134
104.233.156[.]1
194.233.100[.]40
Cluster 5 - AdaptixC2
f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1
Cluster 5 - AdaptixC2 C2 server
194[.]163[.]175[.]135:4445
Cluster 5 - AdaptixC2 C2 IP
Cluster 6 - Sliver
02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8
Cluster 6 - Sliver C2 over mTLS
mtls[://]23.27.143[.]170:443
Cluster 6 - Sliver C2 IP
Cluster 7 - XMRig downloader script
0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0
Cluster 7 - XMRig sample
96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46
Cluster 7 - XMRig configuration
7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1
Cluster 7 - XMRig remote location IP
Cluster 7 - XMRig remote URL
hxxp://83[.]229[.]126[.]195:8081/xmrig
Cluster 7 - XMRig configuration file remote location
hxxp://83[.]229[.]126[.]195:8081/config[.]json
Cluster 8 - Nim-based backdoor
0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d
Cluster 8 - Download URL for the Nim-based backdoor
hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev/download
Cluster 8 - Attacker controlled sub-domain hosting the Nim-based backdoor
a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev
Cluster 8 - Attacker IP that downloaded the Nim-based backdoor
Cluster 8 - C2 for Nim-based backdoor
hxxp://13[.]62[.]52[.]206:5004
Cluster 8 - C2 IP for Nim-based backdoor
18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80
Cluster 9 - gsocket
d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
Cluster 9 - gsocket secret file
5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8
b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3
Cluster 10 - Check for root escalation
72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060
17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925
infrastructure
00 download
89.125.244[.]51
Cluster 2
Cluster 3
Cluster 4
38.60.214[.]92
65.20.67[.]134
104.233.156[.]1
194.233.100[.]40
Cluster 5 - AdaptixC2
f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1
Cluster 5 - AdaptixC2 C2 server
194[.]163[.]175[.]135:4445
Cluster 5 - AdaptixC2 C2 IP
Cluster 6 - Sliver
02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8
Cluster 6 - Sliver C2 over mTLS
mtls[://]23.27.143[.]170:443
Cluster 6 - Sliver C2 IP
Cluster 7 - XMRig downloader script
0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0
Cluster 7 - XMRig sample
96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46
Cluster 7 - XMRig configuration
7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1
Cluster 7 - XMRig remote location IP
Cluster 7 - XMRig remote URL
hxxp://83[.]229[.]126[.]195:8081/xmrig
Cluster 7 - XMRig configuration file remote location
hxxp://83[.]229[.]126[.]195:8081/config[.]json
Cluster 8 - Nim-based backdoor
0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d
Cluster 8 - Download URL for the Nim-based backdoor
hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev/download
Cluster 8 - Attacker controlled sub-domain hosting the Nim-based backdoor
a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev
Cluster 8 - Attacker IP that downloaded the Nim-based backdoor
Cluster 8 - C2 for Nim-based backdoor
hxxp://13[.]62[.]52[.]206:5004
Cluster 8 - C2 IP for Nim-based backdoor
18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80
Cluster 9 - gsocket
d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
Cluster 9 - gsocket secret file
5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8
b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3
Cluster 10 - Check for root escalation
72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060
17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925
organisation
the Common Vulnerability Scoring System
By allowing unauthenticated attackers free rein over one of an organization's most powerful tools, it earned the highest possible 10 out of 10 score in the Common Vulnerability Scoring System (CVSS).
financial
1 Cluster
So far, Talos has observed the following clusters of malicious activity being conducted post successful exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128: Cluster #1 to Cluster #10.
Snort SIDs for CVE-2026-20133: 66468 - 66469
Snort SIDs for CVE-2026-20122: 66461 - 66462
Snort SIDs for CVE-2026-20128: 66468 - 66469
Snort SIDs for the threats detailed in Clusters #1 through 10 are:
Snort2: 66200, 66201, 66202
Snort3: 301461, 301462, 66252
ClamAV signatures for the malicious tooling associated with these clusters:
Unix.
Tas9er Godzilla shellcode deployed in Cluster #1.
financial
10 Cluster
So far, Talos has observed the following clusters of malicious activity being conducted post successful exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128: Cluster #1 to Cluster #10.
organisation
Cisco Security Advisory
- 66483
Please refer to the official
Cisco Security Advisory on CVE-2026-20133, CVE-2026-20122, and CVE-202128
for the latest information regarding affected products, Indicators Of Compromise (IOCs), and mitigation steps.
organisation
CVE-202128
- 66483
Please refer to the official
Cisco Security Advisory on CVE-2026-20133, CVE-2026-20122, and CVE-202128
for the latest information regarding affected products, Indicators Of Compromise (IOCs), and mitigation steps.
organisation
ClamAV
Snort SIDs for CVE-2026-20133: 66468 - 66469
Snort SIDs for CVE-2026-20122: 66461 - 66462
Snort SIDs for CVE-2026-20128: 66468 - 66469
Snort SIDs for the threats detailed in Clusters #1 through 10 are:
Snort2: 66200, 66201, 66202
Snort3: 301461, 301462, 66252
ClamAV signatures for the malicious tooling associated with these clusters:
Unix.
financial
66469 Snort SIDs
Snort SIDs for CVE-2026-20133: 66468 - 66469
Snort SIDs for CVE-2026-20122: 66461 - 66462
Snort SIDs for CVE-2026-20128: 66468 - 66469
Snort SIDs for the threats detailed in Clusters #1 through 10 are:
Snort2: 66200, 66201, 66202
Snort3: 301461, 301462, 66252
ClamAV signatures for the malicious tooling associated with these clusters:
Unix.
financial
66462 Snort SIDs
Snort SIDs for CVE-2026-20133: 66468 - 66469
Snort SIDs for CVE-2026-20122: 66461 - 66462
Snort SIDs for CVE-2026-20128: 66468 - 66469
Snort SIDs for the threats detailed in Clusters #1 through 10 are:
Snort2: 66200, 66201, 66202
Snort3: 301461, 301462, 66252
ClamAV signatures for the malicious tooling associated with these clusters:
Unix.
organisation
CVE
Note: The CVE referenced in the ZeroZenX Labs proof-of-concept is incorrectly attributed to
CVE-2026-20127
.
organisation
UAT-8616
"
Cisco patched
CVE-2026-20127
, threatening to derail UAT-8616's fun.
organisation
Cisco SD-WAN
The flaw was
discovered by Rapid7
while researching a different Cisco SD-WAN controller vulnerability, tracked as
CVE-2026-20127
, which was fixed in February.
organisation
UDP
“This new authentication bypass vulnerability affects the “vdaemon” service over DTLS (UDP port 12346), which is the same service that was vulnerable to CVE-2026-20127.
organisation
JWT
The main script, named “loot_run.sh”, attempted to obtain:
The admin user’s hashdump
JSON Web Tokens (JWT) key chunks that are used for REST API authentication
AWS credentials for vManage: AccesKeyId, SecretAccessKey and Token
Two other helper scripts were also deployed in this cluster to check if the current user could escalate to root.
organisation
API
The main script, named “loot_run.sh”, attempted to obtain:
The admin user’s hashdump
JSON Web Tokens (JWT) key chunks that are used for REST API authentication
AWS credentials for vManage: AccesKeyId, SecretAccessKey and Token
Two other helper scripts were also deployed in this cluster to check if the current user could escalate to root.
organisation
Token
The main script, named “loot_run.sh”, attempted to obtain:
The admin user’s hashdump
JSON Web Tokens (JWT) key chunks that are used for REST API authentication
AWS credentials for vManage: AccesKeyId, SecretAccessKey and Token
Two other helper scripts were also deployed in this cluster to check if the current user could escalate to root.
organisation
JSP
We observed the vast majority of this exploitation involved the use of ZeroZenX labs’ proof-of-concept and accompanying JSP-based webshell which we track as “XenShell.”
organisation
XenShell
We observed the vast majority of this exploitation involved the use of ZeroZenX labs’ proof-of-concept and accompanying JSP-based webshell which we track as “XenShell.”
organisation
NETCONF
UAT-8616 attempted to add SSH keys, modify NETCONF configurations, and escalate to root privileges.
This time around, the researchers observed the threat actor performing "similar post-compromise actions" after winning initial access, including adding SSH keys to targeted systems, modifying NETCONF configurations, and escalating to root.
Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
Successful exploitation lets the attacker gain administrative access, obtain a high-privilege internal account, use NETCONF, and modify SD-WAN network configurations across the fabric.
organisation
ORB
Our findings indicate that the infrastructure used by UAT-8616 to carry out exploitation and post-compromise activities also overlaps with the Operational Relay Box (ORB) networks that Talos monitors closely.
organisation
TAC
Customer support is also available by initiating a
TAC request
.
organisation
the Recommendations and Detection Guidance
Please refer to the Recommendations and Detection Guidance section for additional coverage information.
organisation
JavaServer Pages
The vast majority of observed exploitation attempts involved the use of the ZeroZenX Labs proof-of-concept code and accompanying
JavaServer Pages (JSP) shell
, which we are calling “XenShell.”
organisation
IPs
The following IPs were used to carry out the exploit and subsequently interact with the shell:
38.181.52[.]89
89.125.244[.]33
89.125.244[.]51
Figure 1.
organisation
AES
This variant has been modified to only use Base64 for encoding, as opposed to AES encryption commonly observed in other variants.
organisation
IP
The IP “71.80.85[.]135” was used to carry out the exploit and interact with the shell.
The company also recommends restricting access to SD-WAN management and control-plane interfaces to trusted internal networks or to authorized IP addresses only, and reviewing authentication logs for suspicious login activity.
organisation
TCP
The authors have changed the default TCP banner for the sample from “AdapticC2 server” to “shadowcore”.
Once this has been performed, a remote unauthenticated attacker can login to the NETCONF service (SSH over TCP port 830) as the vmanage-admin user, and begin to issue arbitrary NETCONF commands.”
organisation
VPS
Hosted on Contabo GmbH, this is likely a VPS.
organisation
Nim
The second tool, named “agent1”, is a Nim-based implant.
organisation
RSA
C2 endpoints for communication, registration/check-ins, obtain tasks, provide results, and more:
/api/v1/handshake
/api/v1/results
/api/v1/payloads
/api/v1/exfiltrate
/api/v1/tasks
/api/v1/init
An RSA public key to be used by the agent to communicate with the C2 hosted on “hxxp://13[.]62[.]52[.]206:5004”.
organisation
Nimplant
It is therefore likely that the backdoor was created with the help of AI to resemble Nimplant’s functionality with the additional capabilities and deviations listed above.
organisation
the Global Socket Relay Network
This tool,
gsocket
, is a peer-based proxying and tunneling tool that allows peers to connect to each other within the Global Socket Relay Network (GSRN).
organisation
GSRN
This tool,
gsocket
, is a peer-based proxying and tunneling tool that allows peers to connect to each other within the Global Socket Relay Network (GSRN).
financial
2 Cluster
Behinder webshell deployed in Cluster #2.
financial
3 Cluster
Behinder webshell deployed in Cluster #3.
financial
4 Cluster
Godzilla webshell deployed in Cluster #4.
data_breach
16 byte
GSRN allows peers to connect to each other using node IDs, which are unique 16-byte identifiers for nodes with the network.
organisation
CVE-2022
Related:
Cyber Espionage Group Targets Aviation Firms to Steal Map Data
What Might Happen Next to Cisco's Customers
The first time UAT-8616 exploited a Catalyst authentication bypass bug, it took advantage of its access to exploit an older vulnerability, CVE-2022-20775, and escalate from privileged to outright root access.
organisation
the Catalyst Controller
In February, the issue was that the Catalyst Controller and Manager weren't rigorous enough in authenticating SD-WAN components, so any hacker off the street could use a specially crafted message to impersonate a device and get in.
infrastructure
Linux
"
Related:
'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros
organisation
Maximum Severity Cisco SD-WAN Bug Exploited
Maximum Severity Cisco SD-WAN Bug Exploited in the Wild.
organisation
McKee
To avoid sensationalizing, McKee added, "To be fair, not every bug turns into Internet-wide exploitation overnight.
organisation
Cisco Talos
In a separate publication that same day, researchers at Cisco Talos flagged that a group it tracks as
UAT-8616 has already gotten to it
.
organisation
Catalyst
Back in February, Cisco revealed
half a dozen issues with Catalyst
.
organisation
Controller
This month, the problem is that the Controller doesn't actually verify the legitimacy of a specific type of component — a hub router, "vHub," used in cloud deployments — before authenticating it.
organisation
vHub
This month, the problem is that the Controller doesn't actually verify the legitimacy of a specific type of component — a hub router, "vHub," used in cloud deployments — before authenticating it.
organisation
Critical Infrastructure
Without spelling it out, Talos indicated that the threat actor might have been "looking to establish persistent footholds into high-value organizations including
Critical Infrastructure (CI)
sectors.
organisation
CI
Without spelling it out, Talos indicated that the threat actor might have been "looking to establish persistent footholds into high-value organizations including
Critical Infrastructure (CI)
sectors.
organisation
KEY
ssh2: RSA SHA256:[REDACTED KEY]
Administrators should compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under
WebUI
>
Devices
>
System IP
.
organisation
the Cisco Catalyst SD-WAN
ssh2: RSA SHA256:[REDACTED KEY]
Administrators should compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under
WebUI
>
Devices
>
System IP
.
organisation
UI
ssh2: RSA SHA256:[REDACTED KEY]
Administrators should compare IP addresses in logs with the configured System IPs listed in the Cisco Catalyst SD-WAN Manager web UI, under
WebUI
>
Devices
>
System IP
.
organisation
SD-WAN Controller
Cisco also recommends reviewing SD-WAN Controller logs for unauthorized peering activity, as attackers may attempt to register rogue devices within the SD-WAN fabric.
May 2026
Threat actors exploited a vulnerability in Cisco's SD-WAN software.
May 17, 2026
Threat actors exploited the Maximum Severity Cisco SD-WAN Bug CVE-2026-20182 in the wild.
Click on any entity below to view its context and source!
vulnerability
CVE-2026-20182
CISA has added the Cisco CVE-2026-20182 flaw to the
Known Exploited Vulnerabilities Catalog
, ordering federal agencies to patch affected devices by May 17, 2026.
tactic
T1588.006 - Vulnerabilities
CISA has added the Cisco CVE-2026-20182 flaw to the
Known Exploited Vulnerabilities Catalog
, ordering federal agencies to patch affected devices by May 17, 2026.
Tactical Metrics
Metrics
financial
1
Cluster
Click for context!
So far, Talos has observed the following clusters of malicious activity being conducted post successful exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128: Cluster #1 to Cluster #10.
Snort SIDs for CVE-2026-20133: 66468 - 66469
Snort SIDs for CVE-2026-20122: 66461 - 66462
Snort SIDs for CVE-2026-20128: 66468 - 66469
Snort SIDs for the threats detailed in Clusters #1 through 10 are:
Snort2: 66200, 66201, 66202
Snort3: 301461, 301462, 66252
ClamAV signatures for the malicious tooling associated with these clusters:
Unix.
Tas9er Godzilla shellcode deployed in Cluster #1.
Metrics
financial
10
Cluster
So far, Talos has observed the following clusters of malicious activity being conducted post successful exploitation of CVE-2026-20133, CVE-2026-20122, and CVE-2026-20128: Cluster #1 to Cluster #10.
Metrics
infrastructure
6
Server Cluster
As of March 28, 2026, this C2 IP, “194[.]163[.]175[.]135” hosted:
A Mythic C2 server on port 7443, along with a Mythic C2 server certificate with serial number: fece5b954e69b2c6a8d0a1029631a0d7
Another AdaptixC2 server on port 31337
An open SSH service on port 22, likely for administration of server
Cluster 6
In another cluster of activity, since at least March 5, 2026,
Sliver
, an open-source adversarial emulation framework (aka red-teaming implant), was deployed with the filename “CWan”.
Metrics
financial
66,469
Snort Sids
Snort SIDs for CVE-2026-20133: 66468 - 66469
Snort SIDs for CVE-2026-20122: 66461 - 66462
Snort SIDs for CVE-2026-20128: 66468 - 66469
Snort SIDs for the threats detailed in Clusters #1 through 10 are:
Snort2: 66200, 66201, 66202
Snort3: 301461, 301462, 66252
ClamAV signatures for the malicious tooling associated with these clusters:
Unix.
Metrics
financial
66,462
Snort Sids
Snort SIDs for CVE-2026-20133: 66468 - 66469
Snort SIDs for CVE-2026-20122: 66461 - 66462
Snort SIDs for CVE-2026-20128: 66468 - 66469
Snort SIDs for the threats detailed in Clusters #1 through 10 are:
Snort2: 66200, 66201, 66202
Snort3: 301461, 301462, 66252
ClamAV signatures for the malicious tooling associated with these clusters:
Unix.
Metrics
infrastructure
7
Ip Cluster
89.125.244[.]51
Cluster 2
Cluster 3
Cluster 4
38.60.214[.]92
65.20.67[.]134
104.233.156[.]1
194.233.100[.]40
Cluster 5 - AdaptixC2
f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1
Cluster 5 - AdaptixC2 C2 server
194[.]163[.]175[.]135:4445
Cluster 5 - AdaptixC2 C2 IP
Cluster 6 - Sliver
02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8
Cluster 6 - Sliver C2 over mTLS
mtls[://]23.27.143[.]170:443
Cluster 6 - Sliver C2 IP
Cluster 7 - XMRig downloader script
0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0
Cluster 7 - XMRig sample
96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46
Cluster 7 - XMRig configuration
7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1
Cluster 7 - XMRig remote location IP
Cluster 7 - XMRig remote URL
hxxp://83[.]229[.]126[.]195:8081/xmrig
Cluster 7 - XMRig configuration file remote location
hxxp://83[.]229[.]126[.]195:8081/config[.]json
Cluster 8 - Nim-based backdoor
0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d
Cluster 8 - Download URL for the Nim-based backdoor
hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev/download
Cluster 8 - Attacker controlled sub-domain hosting the Nim-based backdoor
a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev
Cluster 8 - Attacker IP that downloaded the Nim-based backdoor
Cluster 8 - C2 for Nim-based backdoor
hxxp://13[.]62[.]52[.]206:5004
Cluster 8 - C2 IP for Nim-based backdoor
18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80
Cluster 9 - gsocket
d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
Cluster 9 - gsocket secret file
5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8
b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3
Cluster 10 - Check for root escalation
72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060
17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925
Metrics
infrastructure
8
Based Download Url
89.125.244[.]51
Cluster 2
Cluster 3
Cluster 4
38.60.214[.]92
65.20.67[.]134
104.233.156[.]1
194.233.100[.]40
Cluster 5 - AdaptixC2
f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1
Cluster 5 - AdaptixC2 C2 server
194[.]163[.]175[.]135:4445
Cluster 5 - AdaptixC2 C2 IP
Cluster 6 - Sliver
02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8
Cluster 6 - Sliver C2 over mTLS
mtls[://]23.27.143[.]170:443
Cluster 6 - Sliver C2 IP
Cluster 7 - XMRig downloader script
0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0
Cluster 7 - XMRig sample
96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46
Cluster 7 - XMRig configuration
7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1
Cluster 7 - XMRig remote location IP
Cluster 7 - XMRig remote URL
hxxp://83[.]229[.]126[.]195:8081/xmrig
Cluster 7 - XMRig configuration file remote location
hxxp://83[.]229[.]126[.]195:8081/config[.]json
Cluster 8 - Nim-based backdoor
0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d
Cluster 8 - Download URL for the Nim-based backdoor
hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev/download
Cluster 8 - Attacker controlled sub-domain hosting the Nim-based backdoor
a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev
Cluster 8 - Attacker IP that downloaded the Nim-based backdoor
Cluster 8 - C2 for Nim-based backdoor
hxxp://13[.]62[.]52[.]206:5004
Cluster 8 - C2 IP for Nim-based backdoor
18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80
Cluster 9 - gsocket
d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
Cluster 9 - gsocket secret file
5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8
b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3
Cluster 10 - Check for root escalation
72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060
17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925
Metrics
infrastructure
0
Download
89.125.244[.]51
Cluster 2
Cluster 3
Cluster 4
38.60.214[.]92
65.20.67[.]134
104.233.156[.]1
194.233.100[.]40
Cluster 5 - AdaptixC2
f6f8e0d790645395188fc521039385b7c4f42fa8b426fd035f489f6cda9b5da1
Cluster 5 - AdaptixC2 C2 server
194[.]163[.]175[.]135:4445
Cluster 5 - AdaptixC2 C2 IP
Cluster 6 - Sliver
02654acfb21f83485393ba8b14bd8862b919b9ec966fc6768f6aac1338a45ee8
Cluster 6 - Sliver C2 over mTLS
mtls[://]23.27.143[.]170:443
Cluster 6 - Sliver C2 IP
Cluster 7 - XMRig downloader script
0ed72d52347bfe4a78afff8a6982a64050c8fc86d8957a20eeb3e0f3f5342ed0
Cluster 7 - XMRig sample
96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46
Cluster 7 - XMRig configuration
7aa88a64a527ade7d93c20faf23b54f2ee33ad9b1246cdc2f8ded2ab639affb1
Cluster 7 - XMRig remote location IP
Cluster 7 - XMRig remote URL
hxxp://83[.]229[.]126[.]195:8081/xmrig
Cluster 7 - XMRig configuration file remote location
hxxp://83[.]229[.]126[.]195:8081/config[.]json
Cluster 8 - Nim-based backdoor
0c87871642f84e09e8d3fb23ec36bf55601323e31151a7017a85dbec929cf15d
Cluster 8 - Download URL for the Nim-based backdoor
hxxps://1a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev/download
Cluster 8 - Attacker controlled sub-domain hosting the Nim-based backdoor
a820b09-95ba-44eb-b350-417e8241b725-00-1lgwuuen9b77p[.]worf[.]replit.dev
Cluster 8 - Attacker IP that downloaded the Nim-based backdoor
Cluster 8 - C2 for Nim-based backdoor
hxxp://13[.]62[.]52[.]206:5004
Cluster 8 - C2 IP for Nim-based backdoor
18d77c9c5bbb5b9d5bdfd366fdfcf26bad9e64c63ca865fad711bcce8e3d5a80
Cluster 9 - gsocket
d94f75a70b5cabaf786ac57177ed841732e62bdcc9a29e06e5b41d9be567bcfa
Cluster 9 - gsocket secret file
5bc5998161056b7c8f70c9724d8a63abc7ff8c3843b91c30cffab0899e39b7f8
b0f51b098842cd630097b462aab0ec357e2c7824af37cca6d08165265da2c2d3
Cluster 10 - Check for root escalation
72f570ce97de3eaaffef33d90b0c337a153fc9690cc34ee207b557d868360060
17302d903baf182f94dc3be40ab1e0874dd0eb2ec5255bf9131fd53591efe925
Metrics
financial
2
Cluster
Behinder webshell deployed in Cluster #2.
Metrics
financial
3
Cluster
Behinder webshell deployed in Cluster #3.
Metrics
financial
4
Cluster
Godzilla webshell deployed in Cluster #4.
Metrics
data_breach
16
Byte
GSRN allows peers to connect to each other using node IDs, which are unique 16-byte identifiers for nodes with the network.
Metrics
infrastructure
Linux
Affected Product
"
Related:
'Dirty Frag' Exploit Poised to Blow Up on Enterprise Linux Distros
Metrics
infrastructure
1.1.1
Software Version
Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005
Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182.
Metrics
infrastructure
192.168.3
Software Version
Jul 26 22:03:33 vSmart-01 VDAEMON_0[2571]: %Viptela-vSmart-VDAEMON_0-5-NTCE-1000001: control-connection-state-change new-state:up peer-type:vmanagepeer-system-ip:1.1.1.10 public-ip:192.168.3.20 public-port:12345 domain-id:1 site-id:1005
Cisco strongly recommends upgrading to a fixed software release, as this is the only way to fully remediate CVE-2026-20182.
Intelligence Sources
Talos Intelligence
2026-05-14
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Talos Intelligence
Dark Reading
2026-05-14
BleepingComputer
2026-05-14
Security Affairs
2026-05-14
TheRecord
2026-05-15
Talos Intelligence
2026-05-14
Ongoing exploitation of Cisco Catalyst SD-WAN vulnerabilities
Talos Intelligence
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-15T05:46
Comprehensive Tactical Telemetry
Highly Correlated Entities
59x
organisation
Identified Entity
SD-WAN vSmart
entity
29x
timeline
Temporal Reference
March 6, 2026
date
7x
attribution
Attributing Entity
The U.S. Cybersecurity and Infrastructure Security Agency
authority
6x
vulnerability
Exploited CVE
CVE-2026-20182
cve
5x
financial
Cluster
1
cluster
5x
general metric
Cluster
1
cluster
3x
target region
Target Country
Hong Kong
country
3x
tactic
MITRE ATT&CK Technique
T1588.002 - Tool
technique
2x
malware
Offensive Tool
Cobalt Strike
tool
2x
general metric
Port
31,337
port
2x
general metric
Mar
13
mar
2x
general metric
Snort Sids
66,468
snort sids
2x
financial
Snort Sids
66,469
snort sids
2x
general metric
D2
34
d2
2x
tactic
Cyber Operation Type
Espionage
tactic
2x
infrastructure
Software Version
1.1.1
version
Contextual Telemetry
Context Block
22 METRICS
industry
Targeted Sector
Technology
sector
infrastructure
Server Cluster
6
server cluster
general metric
Snort2
66,200
snort2
general metric
Clamav Signatures
66,252
clamav signatures
general metric
Adaptixc2
5
adaptixc2
general metric
Sliver
6
sliver
general metric
96Fc528Ca5E7D1C2B3Add5E31B8797Cb126F704976C8Fbeaecdbf0Aa4309Ad46 Cluster Xmrig
7
96fc528ca5e7d1c2b3add5e31b8797cb126f704976c8fbeaecdbf0aa4309ad46 cluster xmrig
infrastructure
Ip Cluster
7
ip cluster
infrastructure
Based Download Url
8
based download url
infrastructure
Download
0
download
general metric
B350
0
b350
general metric
Attacker
8
attacker
general metric
Gsocket
9
gsocket
data breach
Byte
16
byte
general metric
C4
78
c4
general metric
C4 A2
37
c4 a2
target region
Target Region
FIVE_EYES
region
infrastructure
Affected Product
Linux
software
source region
Origin Country
China
country
general metric
Jul
26
jul
vulnerability
CVSS Score
10
score
general metric
Tcp Port
830
tcp port
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.