Japanese LMS Zero-Day Delivered Godzilla Shell, Cobalt Strike
KnowledgeDeliver learning platform exploited via hard-coded cryptographic keys before vendor patched critical flaw affecting Japanese enterprise customers.
A high-severity vulnerability in Digital Knowledge's KnowledgeDeliver — a learning management system widely deployed across Japanese enterprises — was exploited as a zero-day to install the Godzilla web shell and subsequently deploy Cobalt Strike Beacon.
The flaw, now tracked as CVE-2026-5426 with a CVSS score of 7.5, stems from hard-coded ASP.NET machine keys embedded in the platform. These static cryptographic keys allowed attackers to forge authentication tokens and gain unauthorized access to affected systems. The vulnerability has since been patched, but exploitation occurred before disclosure.
Godzilla is a modular web shell favored by Chinese-speaking threat actors; Cobalt Strike is a commercial penetration testing toolkit routinely repurposed for post-exploitation activity. The pairing suggests a targeted intrusion with objectives beyond initial access — likely data exfiltration, lateral movement, or persistent access establishment.
- 01Japanese enterprises using KnowledgeDeliver face potential breach exposure if unpatched.
- 02Incident responders should hunt for Godzilla shell and Cobalt Strike indicators in LMS environments.
- 03Vendors embedding static keys in authentication flows remain high-value targets for credential forgery attacks.
Ransomware attack executed entirely by AI agent, researchers report
JadePuffer operation marks what may be the first documented case of a fully autonomous LLM-driven ransomware deployment from reconnaissance to encryption.
Agentic AI Executes Multi-Stage Ransomware Attack via Langflow
Demonstration shows large language model agents autonomously combining exploitation techniques with real-time reasoning to conduct complex intrusions without human intervention.
FortiBleed Attackers Monetize Firewall Access Through Ransomware Partnerships
Actors who compromised thousands of Fortinet devices are now collaborating with Inc and Lynx ransomware groups, adding Nextcloud exploitation to their toolkit.