We discovered additional activity related to the EPMM 403.jsp webshell campaign that was previously reported by Defused. While we did not observe any dynamically executed code in approximately 140 requests using the specific parameter and file combination, we found evidence of commands being executed via "k-only" requests between these instances. These commands included database dumping, archiving local files, and cleanup actions. This suggests that the campaign was more active than initially reported, potentially aiming to extract sensitive information from compromised systems. For organizations with EPMM instances, even if patches have been applied, we recommend thorough checks for signs of compromise and consider remediation measures such as credential resets and system rebuilds if necessary.
Read the full article at NVISO Labs
Want to create content about this topic? Use Nemati AI tools to generate articles, social posts, and more.
