INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability
| 2026-05-25 14:00 CRITICAL HIGHExecutive Summary AI-generated
The threat actor has been identified as a sophisticated and highly adaptable adversary, utilizing various tactics including exploitation of known vulnerabilities such as ViewState Deserialization Vulnerability in ASP.NET applications. The use of KnowledgeDeliver instances to spread malware is also notable, highlighting the importance of robust security measures against these types of threats. Furthermore, the deployment of a .NET-based in-memory web shell called BLUEBEAM further underscores the threat actor's ability to maintain persistence and control within compromised systems.
Technical Mitigations AI-generated
• Monitor Application Event Logs for specific event IDs (1316) and failed integrity checks, as well as successful execution of ViewState deserialization attempts.
• Implement Suspicious Process Activity Monitoring to detect unusual child processes spawned by w3wp.exe, including cmd.exe /c commands that may indicate a BLUEBEAM web shell deployment.
• Perform File Integrity Monitoring on .js, .aspx, and .config files within the web root for unauthorized changes or additions of remote script loaders or unusual logic.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Cobalt StrikeCobalt Strike
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
2026/05/25
Threat actors exploited a ViewState Deserialization Vulnerability in KnowledgeDeliver to infect workstations with Cobalt Strike BEACON backdoors.
Click on any entity below to view its context and source!
infrastructure
Windows
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62
Application Event Logs (Event ID 1316)
Monitor the Windows Application log for Event ID 1316 from the source
ASP.NET 4.0.30319.0
(or similar).
The following are examples of identified User-Agent strings:
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Remediation and Mitigation
Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance.
organisation
U
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62
organisation
Monitor the Windows Application
Application Event Logs (Event ID 1316)
Monitor the Windows Application log for Event ID 1316 from the source
ASP.NET 4.0.30319.0
(or similar).
organisation
KHTML
The following are examples of identified User-Agent strings:
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64)
organisation
Win64
The following are examples of identified User-Agent strings:
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64)
infrastructure
11.01
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
infrastructure
5.0
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
infrastructure
10.0
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
infrastructure
537.36
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
infrastructure
121.0.0
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
infrastructure
9.0
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
infrastructure
6.1
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
infrastructure
10.0.648
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
organisation
MSIE
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
organisation
KnowledgeDeliver
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Remediation and Mitigation
Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance.
organisation
ViewState Deserialization Vulnerability
Exploitation of KnowledgeDeliver via ViewState Deserialization Vulnerability.
organisation
ViewState
When the
machineKey
is known, a threat actor can craft a malicious ViewState payload.
organisation
Vulnerability
affecting
This technique follows the pattern of the
ViewState Deserialization Zero-Day Vulnerability
affecting Sitecore (previously reported by Mandiant), and
Code injection attacks using publicly disclosed ASP.NET machine keys
reported by Microsoft.
organisation
Mandiant
This technique follows the pattern of the
ViewState Deserialization Zero-Day Vulnerability
affecting Sitecore (previously reported by Mandiant), and
Code injection attacks using publicly disclosed ASP.NET machine keys
reported by Microsoft.
organisation
ASP.NET
This technique follows the pattern of the
ViewState Deserialization Zero-Day Vulnerability
affecting Sitecore (previously reported by Mandiant), and
Code injection attacks using publicly disclosed ASP.NET machine keys
reported by Microsoft.
organisation
Microsoft
This technique follows the pattern of the
ViewState Deserialization Zero-Day Vulnerability
affecting Sitecore (previously reported by Mandiant), and
Code injection attacks using publicly disclosed ASP.NET machine keys
reported by Microsoft.
organisation
Post-Exploitation Activity
Once
Post-Exploitation Activity
Once access was established, the threat actors focused on maintaining their presence and expanding the impact of the compromise.
organisation
BLUEBEAM
BLUEBEAM Web Shell Deployment
The threat actor deployed a .NET-based in-memory web shell called BLUEBEAM (also known as Godzilla).
organisation
File Tampering
File Tampering
The threat actor was observed executing commands to escalate their control over the web server's file system:
Permission Modification: The threat actor used
icacls
to grant "Everyone" full access to the web application directory.
organisation
Failed Attempt
Failed Attempt (Integrity Failure):
Event code: 4009-++-Viewstate verification failed.
organisation
File Integrity Monitoring
Monitor
File Integrity Monitoring
Monitor for unauthorized changes to
.js
,
.aspx
, or
.config
files within the web root.
organisation
ViewState Deserialization Zero-Day
4. Anomalous User-Agent Strings
Mandiant identified User-Agent strings consisting of two distinct identifiers concatenated together, which were consistent with ones reported in
ViewState Deserialization Zero-Day vulnerability
.
organisation
LMS
Restrict Access: If possible, limit access to the LMS to known organizational IP address ranges.
organisation
IP
Restrict Access: If possible, limit access to the LMS to known organizational IP address ranges.
organisation
Outlook and Implications
The
Outlook and Implications
The exploitation of KnowledgeDeliver highlights the severe risks of using shared secrets in deployment templates.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101213 Opera/9.80 (Windows NT 6.1; U; zh-tw) Presto/2.7.62
Application Event Logs (Event ID 1316)
Monitor the Windows Application log for Event ID 1316 from the source
ASP.NET 4.0.30319.0
(or similar).
The following are examples of identified User-Agent strings:
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.2 (KHTML, like Gecko) Chrome/22.0.1216.0 Safari/537.2 Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Remediation and Mitigation
Rotate Machine Keys: Immediately generate a unique, cryptographically strong machine key for each KnowledgeDeliver instance.
Metrics
infrastructure
11.01
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Metrics
infrastructure
5.0
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Metrics
infrastructure
10.0
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Metrics
infrastructure
537.36
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Metrics
infrastructure
121.0.0
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Metrics
infrastructure
9.0
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Metrics
infrastructure
6.1
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Metrics
infrastructure
10.0.648
Software Version
Version/11.01 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) chromeframe/10.0.648.205
Intelligence Sources
Mandiant
2026-05-25
Mandiant
2026-05-25
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:21
Comprehensive Tactical Telemetry
Highly Correlated Entities
21x
organisation
Identified Entity
U
entity
8x
infrastructure
Software Version
11.01
version
2x
tactic
MITRE ATT&CK Technique
T1505.003 - Web Shell
technique
Contextual Telemetry
Context Block
5 METRICS
target region
Target Country
United States
country
infrastructure
Affected Product
Windows
software
general metric
Windows Nt
6
windows nt
malware
Offensive Tool
Cobalt Strike
tool
general metric
Msie
9
msie
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.