ATLAS · LIVE
ATLAS INDEX
Δ 24H
ACTIVE SOURCES20
HOTSPOTS20
TIME20:41:50 UTC
← All briefs
HIGHCyber IntelligenceTuesday, May 26, 2026

Japanese LMS Zero-Day Delivered Godzilla Shell, Cobalt Strike

KnowledgeDeliver learning platform exploited via hard-coded cryptographic keys before vendor patched critical flaw affecting Japanese enterprise customers.

A high-severity vulnerability in Digital Knowledge's KnowledgeDeliver — a learning management system widely deployed across Japanese enterprises — was exploited as a zero-day to install the Godzilla web shell and subsequently deploy Cobalt Strike Beacon.

The flaw, now tracked as CVE-2026-5426 with a CVSS score of 7.5, stems from hard-coded ASP.NET machine keys embedded in the platform. These static cryptographic keys allowed attackers to forge authentication tokens and gain unauthorized access to affected systems. The vulnerability has since been patched, but exploitation occurred before disclosure.

Godzilla is a modular web shell favored by Chinese-speaking threat actors; Cobalt Strike is a commercial penetration testing toolkit routinely repurposed for post-exploitation activity. The pairing suggests a targeted intrusion with objectives beyond initial access — likely data exfiltration, lateral movement, or persistent access establishment.

The rest of this brief is inside the platform

Continue reading. Free.

A free Atlas account unlocks the full briefing, the co-analyst, daily delivery to your inbox, and a sector-personalised feed.

Full brief
Implications, sources, methodology
Co-Analyst
Ask follow-ups on every brief
Sector feed
Briefs filtered to what matters to you
Implications
  • 01Japanese enterprises using KnowledgeDeliver face potential breach exposure if unpatched.
  • 02Incident responders should hunt for Godzilla shell and Cobalt Strike indicators in LMS environments.
  • 03Vendors embedding static keys in authentication flows remain high-value targets for credential forgery attacks.
Source
The Hacker News
https://thehackernews.com/2026/05/knowledgedeliver-lms-flaw-exploited-to.html
Brief is editorial commentary by Atlas Intelligence based on the cited public reporting. Atlas does not reproduce source text. Verify primary source before action.
#zero-day#web shell#cobalt strike#japan#lms#cve-2026-5426
Related Briefs