Mark Manglicmot, SVP of Security Services from Arctic Wolf, is sharing their research on "Cleopatra’s Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software." Arctic Wolf Labs discovered an ongoing exploitation campaign targeting Cleo Managed File Transfer (MFT) products, beginning on December 7, 2024. Threat actors used a malicious PowerShell stager to deploy a Java-based backdoor, dubbed Cleopatra, which features in-memory file storage and cross-platform compatibility across Windows and Linux.
Despite Cleo's previous patch for CVE-2024-50623, attackers appear to have leveraged an alternative access method, exploiting the software's autorun feature to execute payloads and establish persistent access.
The research can be found here:
Cleopatra’s Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software
Learn more about your ad choices. Visit megaphone.fm/adchoices
Cleo’s trojan horse. [Research Saturday] | CyberWire Daily podcast - Listen or read transcript on Metacast
![Cleo’s trojan horse. [Research Saturday] - podcast episode cover](https://megaphone.imgix.net/podcasts/3d0836ae-e572-11ef-81af-6f8e38e4bed2/image/95b72a93c2ffaf8ff900d662a9bd3735.png?ixlib=rails-4.3.1&max-w=3000&max-h=3000&fit=crop&auto=format,compress)
