Advisory ID: NCC-CSIRT-2026-001

Summary: 

Cybersecurity researchers have uncovered a significant phishing campaign that exploits private messages on LinkedIn to deliver a Remote Access Trojan (RAT) via Dynamic Link Library (DLL) sideloading. Attackers establish trust with targets, often “high-value” individuals such as executives and IT professionals, through LinkedIn direct messages and persuade them to download and execute a malicious self-extracting WinRAR archive. Once executed, the adversary uses DLL sideloading to execute malicious code in the context of a legitimate PDF reader application, leading to a persistent RAT implant that provides remote control and data exfiltration capabilities.

Damage/Probability: High/High

Product(s): 

• Microsoft Windows endpoints and servers
• WinRAR self-extracting archive tools used in delivery
• Legitimate PDF reader application used in the sideloading technique

Version(s): 

Affects systems where users execute malicious archives delivered via LinkedIn messages and where Windows DLL sideloading is possible (generic Windows; not version-specific).

Platform(s): 

• Windows corporate workstations
• Laptops
• Remote devices and unmanaged systems in enterprise environments across sectors, including technology, finance, and professional services.

Description: 

In the observed campaign, attackers contact victims via LinkedIn direct messages (DMs) under professional pretexts and entice them to download a WinRAR self-extracting archive (SFX). When executed, this archive unpacks multiple components, including:

• A legitimate open-source PDF reader,
• A malicious DLL placed for sideloading,
• A portable Python interpreter executable, and
• A decoy RAR file to distract or reassure the user. (TechBooky)

The attack exploits DLL sideloading, a Windows behavior where an application loads a DLL from its own directory before the system path, enabling a rogue DLL to execute code under the guise of a trusted application. When the PDF reader launches, it loads the malicious DLL, which then installs the bundled Python interpreter and creates a Windows Registry Run key to ensure the interpreter starts automatically at each user login. (TechBooky)

Once running, the Python interpreter decodes and executes Base64-encoded shellcode directly in memory, a technique that avoids writing additional malicious executables to disk and helps evade forensic detection. The final payload establishes a remote connection to attacker-controlled infrastructure, providing persistent remote access and control. (LinkedIn)

Security researchers have noted that multiple malware families (e.g., LOTUSLITE, PDFSIDER) have been delivered using similar DLL sideloading techniques in concurrent campaigns.

Threat Types: 

• Social media-based phishing for initial access (LinkedIn direct messages).
• DLL sideloading (defence evasion leveraging legitimate application).
• Remote Access Trojan (RAT) deployment for persistent remote control and data theft.
• Persistence via registry autorun key creation.

Impacts: 

• Attackers gain persistent interactive access to compromised hosts, enabling credential theft, system manipulation, and lateral movement across networks.
• RAT malware may steal sensitive information, including intellectual property and personal data.
• Use of DLL sideloading hides malicious execution under the context of a trusted process, complicating detection by traditional endpoint security tools.
• Social media private messaging becomes a significant vector outside traditional email security controls.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Block access to known malicious domains and links distributed via LinkedIn DMs.
• Quarantine affected systems and perform full malware scans using up-to-date signatures.
• Remove unauthorized Registry Run keys and Python interpreter instances established by the attack.
• Update endpoint protection to include heuristics for DLL sideloading behavior and unusual interpreter executions.
• Enforce application allow-listing to restrict execution of unknown or unapproved software.
• Conduct phishing simulations, including social media scenarios, to increase employee awareness of non-email phishing vectors.
• Recognize LinkedIn and other social platforms as potential attack vectors, not just email, and expand monitoring accordingly.
• Educate staff on social engineering risks inherent in professional networking platforms.
• Integrate DLL sideloading and interpreter execution detection into SOC and SIEM rules.
• Implement multi-layered endpoint controls, including application allow-listing, script blocking, and EDR with behavioral analysis.
• Block delivery domains and suspicious WinRAR SFX files; isolate hosts showing unusual DLL loads.
• Deploy endpoint rules to detect sideloaded DLLs and unauthorized interpreter execution.
• Expand phishing training beyond email to include social media threats; adopt zero-trust policies for endpoint execution.

References:

• https://thehackernews.com/2026/01/hackers-use-linkedin-messages-to-spread.html

• https://cybernews.com/security/linkedin-phishing-campaign-targets-execs-weaponized-files/

• https://www.scworld.com/news/phishing-campaign-exploits-linkedin-messages-via-dll-sideloading

• https://www.linkedin.com/posts/david-sehyeon-baek-5a96a9109_cybersecurity-phishing-linkedin-activity-7419526336001568768-3dX3/

• https://www.techbooky.com/how-hackers-spread-rat-malware-via-dll-sideloading-in-linkedin-messages/

• https://www.secnews.gr/684397/hackers-linkedin-rat-dll-sideloading/ 

Advisory ID:   ngCERT-2026-010001

SUMMARY

ngCERT is aware of a critical remote code execution (RCE) vulnerability nicknamed Ni8mare, affecting the popular n8n open-source workflow automation platform. The Vulnerability with CVE-2026-21858 and a critical CVSS score of 10.0 allows unauthorised remote attackers to fully compromise vulnerable instances, often without any interaction by legitimate users. The vulnerability stems from improper request parsing and Content-Type handling in form/webhook workflows. A specific logic bug allows crafted HTTP requests to bypass input validation, thereby exposing sensitive configuration files, credentials, and other confidential data on the underlying server. This vulnerability affects older versions of the n8n workflow automation platform. Organisations and businesses utilising this platform are strongly advised to immediately patch to version 1.121.0 or higher, coupled with access restrictions and monitoring for signs of exploitation.

Damage:      Critical (CVSS: 10.0)

Probability:  High

Platform(s):  n8n AI Automation Software

DESCRIPTION

ngCERT is aware of a critical remote code execution (RCE) vulnerability nicknamed Ni8mare, affecting the popular n8n open-source workflow automation platform. The Vulnerability with CVE-2026-21858 and a critical CVSS score of 10.0 allows unauthorised remote attackers to fully compromise vulnerable instances, often without any interaction by legitimate users. The vulnerability stems from improper request parsing and Content-Type handling in form/webhook workflows. A specific logic bug allows crafted HTTP requests to bypass input validation, thereby exposing sensitive configuration files, credentials, and other confidential data on the underlying server. This vulnerability affects older versions of the n8n workflow automation platform. Organisations and businesses utilising this platform are strongly advised to immediately patch to version 1.121.0 or higher, coupled with access restrictions and monitoring for signs of exploitation.

CONSEQUENCES

Successful exploitation of Ni8mare vulnerability may lead to:

1. Unauthenticated Remote Code Execution (RCE).
2. Full Server Compromise.
3. Sensitive Data Exposure.
4. Administrator Session Forging.

SOLUTION/MITIGATION

Organisations are strongly advised to apply these mitigations:

1. Isolate n8n services network-wise from critical systems where possible.
2. Review automated workflow designs for overly broad input acceptance.
3. Avoid exposing n8n instances to the public internet unless necessary and restrict access via firewalls, VPN, or internal networks.
4. Require authentication for all forms and webhook endpoints, and temporarily disable or block publicly accessible webhook/form endpoints until patched.
5. Patch/Upgrade. Upgrade n8n to version 1.121.0 or later.
6. Review and rotate all sensitive secrets stored in n8n (API keys, tokens, encryption secrets) if exposure is suspected.
7. Monitor logs and network activity for unusual access patterns and implement intrusion detection or web application firewall rules tailored to n8n webhook traffic anomalies (e.g., malformed Content-Type requests).

HYPERLINK

• https://censys.com/advisory/cve-2026-21858
• https://www.tenable.com/cve/CVE-2026-21858
• https://www.picussecurity.com/resource/blog/ni8mare-n8n-cve-2026-21858-remote-code-execution-vulnerability-explained

Advisory ID: NCC-CSIRT-2025-030

Summary: 

React Server Components (RSC) are a new paradigm in the React ecosystem that allows developers to render components exclusively on the server.

A critical remote-code-execution vulnerability known as React2Shell (CVE-2025-55182) in React Server Components and some frameworks like Next.js continues to be actively exploited by threat actors to deliver malware, including ZnDoor, a sophisticated remote access trojan targeting network-connected systems. The vulnerability enables attackers to execute arbitrary shell commands via specially crafted HTTP requests, leading to post-exploitation deployment of ZnDoor, which provides interactive shells, file operations, SOCKS5 proxy capability, system enumeration, and remote command execution. Attackers configure ZnDoor to maintain persistent connectivity to command-and-control infrastructure, making affected systems a potential foothold for further lateral movement or network compromise.

Damage/Probability: Critical/High

Indicators of Compromise (IoCs): 

• Outbound HTTPS connections to known C2 hosts (e.g., api.qtss.cc:443).
• System processes bearing names that mimic legitimate daemons but running unexpected payloads.
• Persistent HTTP POST beaconing intervals (e.g., ~1 second).
• Unexpected shell sessions or files downloaded via /bin/sh commands from external servers (e.g., 45.76.155.14).

Product(s): 

• React Server Components (RSC) and dependent frameworks such as React 19.x and Next.js 15.x/16.x used in server-side web applications
• Network-facing web servers and API endpoints running vulnerable server components
• Linux and Unix-based systems that serve React2Shell-enabled applications

Version(s): 

React Server Components versions affected by CVE-2025-55182 (older releases of RSC before patched builds) and certain implementations of Next.js that incorporate the same vulnerable deserialization logic.

Platform(s): 

Cloud, enterprise, and web-application hosting platforms running vulnerable React/Next.js server components; any Linux-based infrastructure serving affected applications

Description: 

The React2Shell vulnerability (CVE-2025-55182) is a critical weakness in React Server Components and some dependent frameworks (e.g., Next.js) that enables unauthenticated remote code execution through unsafe handling of user-controlled input in server deserialization logic. This flaw allows attackers to execute arbitrary commands on web servers hosting vulnerable applications.

Security researchers (e.g., NTT Security, Palo Alto Networks Unit 42) have observed active exploitation of React2Shell to deliver the ZnDoor malware. ZnDoor is deployed via a shell command executed on a compromised host that fetches the payload from a remote server and immediately connects back to a command-and-control (C2) server over HTTPS. Once active, ZnDoor beacons every second, transmitting system attributes such as hostname, username, network configuration, and process identifiers to the attacker. Its command processing supports interactive shell access, file upload/download, directory listing, file removal, and SOCKS5 proxy initiation.

To evade detection, ZnDoor quietly disguises its process name to mimic legitimate system services and alters file timestamps to older dates, thwarting simple forensic analysis. It also respawns child processes to maintain execution if an initial instance fails or is terminated.

Threat Types: 

• Exploitation of React2Shell (CVE-2025-55182), critical unauthenticated pre-auth RCE.
• Remote access trojan deployment (ZnDoor) with broad command capabilities.
• Network tunnelling and proxy abuse (SOCKS5 activation).
• Process disguise and forensic evasion techniques (spoofed process names, timestamp manipulation).

Impacts: 

• Attackers can gain shell access to run commands, steal data, and alter files on compromised systems.
• ZnDoor enables proxying and tunnelling through infected hosts, aiding lateral movement and evasion.
• Persistent C2 beaconing ensures continuous attacker access and control.
• Masquerading and timestamp tampering hinder detection and forensic analysis.
• React2Shell exposes many internet-facing React-based applications to exploitation if unpatched.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Patch React Server Components and Next.js to remediate the React2Shell vulnerability.
• Use WAFs and reverse proxies to block malformed or exploit-triggering HTTP requests.
• Enforce least privilege on web servers and restrict shell command execution.
• Isolate compromised hosts, conduct forensics, and rebuild from trusted images.
• Rotate exposed credentials and cryptographic keys after containment.
• Enable enhanced web and network logging to detect exploitation attempts.
• Ensure developers use only patched React and related dependencies.
• Prepare for rapid isolation and malware hunting using EDR tools.
• Patch vulnerable systems and block known React2Shell exploit signatures.
• Deploy WAF rules and monitor for unusual HTTPS POST beaconing.
• Integrate dependency scanning into CI/CD and production workflows.

References:

• https://www.securityweek.com/google-sees-5-chinese-groups-exploiting-react2shell-for-malware-delivery/

• https://www.cohesity.com/trust/redlab/advisories/react2shell/

• https://vulert.com/blog/react2shell-vulnerability-cve-2025-55182-exploited/

• https://cybersecuritynews.com/zndoor-malware-exploiting-react2shell-vulnerability/

Advisory ID: NCC-CSIRT-2025-029

Summary: 

Cisco has issued an urgent security advisory warning of active exploitation of a critical zero-day vulnerability (CVE-2025-20393) in its AsyncOS software, used on Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager (SEWM) appliances. The flaw has a CVSS score of 10.0, allowing unauthenticated remote code execution with root privileges when the Spam Quarantine feature is enabled and exposed to the internet, conditions present in some deployed environments.

Cisco Talos, the company’s threat intelligence team, has linked the ongoing attacks to a China-nexus advanced persistent threat actor tracked as UAT-9686, which has been active since at least November 2025. The actor uses the exploited systems to deploy persistent backdoors and tunneling tools, enabling deep, covert access.

Damage/Probability: Critical/High

Product(s): 

• Cisco Secure Email Gateway (SEG) appliances
• Cisco Secure Email and Web Manager (SEWM) appliances
• Cisco AsyncOS software powering SEG/SEWM

Version(s): 

• Cisco Secure Email Gateway (SEG) appliances
• Cisco Secure Email and Web Manager (SEWM) appliances
• Cisco AsyncOS software powering SEG/SEWM

Platform(s): 

Enterprise and government email security infrastructure using Cisco SEG or SEWM appliances.

Description: 

The vulnerability CVE-2025-20393 arises from improper input validation in the Spam Quarantine feature of Cisco AsyncOS. When the Spam Quarantine web interface is enabled and accessible from the internet, unauthenticated attackers can send crafted requests that bypass authentication and lead to arbitrary root code execution on the appliance.

Cisco became aware of active exploitation of this flaw on 10 December 2025 and has confirmed that victims include SEG and SEWM appliances with non-standard configurations (Spam Quarantine enabled and reachable externally).

The threat actor, tracked as UAT-9686, has deployed a toolkit comprising:
• AquaShell: a lightweight persistent backdoor used to maintain access.
• AquaTunnel (Reverse SSH): to facilitate secure reverse connections.
• Chisel: a TCP/UDP tunneling tool for flexible remote access.
• AquaPurge: a utility to clear logs and hinder forensic analysis.

Cisco Talos assesses attacker toolset and infrastructure are consistent with other Chinese-linked threat groups and note that similar implants have previously been attributed to UNC5174 and other state-aligned actors.

Threat Types: 

• Unauthenticated Remote Code Execution (RCE) via AsyncOS zero-day
• Deployment of persistent backdoors (e.g., AquaShell)
• Reverse SSH tunnels (e.g., AquaTunnel, Chisel)
• Log purging/evasion tools (e.g., AquaPurge)
• High-profile APT exploitation (espionage, persistent foothold)

Impacts: 

• Full appliance compromise: Exploitation can give attackers root-level control of Cisco email security devices.
• Email data exposure: Sensitive email traffic can be intercepted, modified, or exfiltrated.
• Persistent access: Backdoors and encrypted tunnels enable long-term remote access.
• Detection evasion: Log-wiping tools hinder detection and incident response.
• Espionage risk: APT exploitation raises the risk of targeted attacks on government, critical infrastructure, and enterprises.

Solutions:  

NCC-CSIRT recommends the following mitigation steps:

• Verify if Spam Quarantine is internet-exposed and restrict access via firewall, ACLs, or VPN.
• Temporarily disable Spam Quarantine where business operations allow.
• Restrict management interfaces (HTTP/HTTPS) to trusted networks only.q
• Enforce strong passwords, MFA for admin access, and disable unused services.
• Review web logs and admin activity for signs of exploitation.
• Hunt for reverse SSH tunnels and tools such as AquaShell, AquaTunnel, or Chisel.
• Monitor Cisco advisories and apply patches immediately when released.
• Enforce network segmentation to limit access to AsyncOS management services.
• Block direct internet access to the Spam Quarantine interface where possible.
• Monitor for RPC/HTTP POST abuse and reverse SSH activity.
• Harden management plane access and prepare for rapid patch deployment.

References:

• https://thehackernews.com/2025/12/cisco-warns-of-active-attacks.html

• https://vulmon.com/vulnerabilitydetails?qid=CVE-2025-20393

• https://www.bleepingcomputer.com/news/security/cisco-warns-of-unpatched-asyncos-zero-day-exploited-in-attacks/

• //www.threads.com/@thehackernews/post/DSZBprQj5M5">https://www.threads.com/@thehackernews/post/DSZBprQj5M5

• https://feedly.com/cve/CVE-2025-20393