Post by Mandiant (part of Google Cloud)

⏪ ICYMI: Mandiant identified a critical vulnerability (CVE-2026-5426) in KnowledgeDeliver, a learning management system commonly used in Japan. The vulnerability allows for unauthenticated remote code execution via ViewState deserialization. During incident response, Mandiant observed threat actors exploiting this vulnerability to conduct extensive post-exploitation activity: • Deploying the .NET-based in-memory web shell BLUEBEAM (Godzilla) within the IIS worker process (w3wp.exe) • Modifying permissions to grant full access to the web application directory • Tampering with application JavaScript to display fake security alerts and load remote malicious scripts • Infecting user workstations with a Cobalt Strike BEACON backdoor payload specifically tailored to the targeted organization. To mitigate this threat, organizations must immediately generate unique, cryptographically strong machine keys for each KnowledgeDeliver instance to invalidate the shared secret. Defenders should monitor for Windows Application Event ID 1316, anomalous User-Agent strings, and unusual child processes spawned by w3wp.exe. 📝 Read the full blog post for detailed analysis, hunting guidance, and indicators of compromise: https://goo.gle/3SxCU7H