ctipilot.ch

Apex2

tool · tool:apex2-botnet single-source

Golang-based IoT/Linux/Windows DDoS botnet, a structural evolution of the earlier Apex botnet, delivered via Telnet credential brute-force; supports a Cloudflare-bypass HTTP(S) flood ('cf'), UDP/game/Discord floods, and TLS floods; Linux builds cover arm/arm64/mipsle/ppc64 (Nozomi Networks Labs, 2026-07-06).

Aliases: Apex

Coverage timeline
6
first 2026-05-18 → last 2026-07-09
Entries
6
4 distinct days
Sources cited
14
13 hosts
Sections touched
4
active-threats, trending-vulnerabilities, weekly-annual-reports
Co-occurring entities
6
see Related entities below
2026-05-186 appearances2026-07-09

Story timeline

  1. 2026-07-09Nozomi documents two new Golang IoT/Linux DDoS botnets (Apex2, c2c/meow) built for speed and reuse over sophistication
    active-threatsTwo Golang DDoS botnets, Apex2 and c2c/meow, flood exposed Telnet/SSH Linux and IoT with fake-systemd persistence and passwordless-sudo escalation
  2. 2026-05-28ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface
    active-threatsILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack
  3. 2026-05-22CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)
    trending-vulnerabilitiesCVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed
  4. 2026-05-22CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround
    trending-vulnerabilitiesCVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround
  5. 2026-05-18Verizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed
    weekly-annual-reportsVerizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed
  6. 2026-05-18Two CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow
    weekly-top-storiesTwo CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow

Where this entity is cited

  • trending-vulnerabilities2
  • active-threats2
  • weekly-top-stories1
  • weekly-annual-reports1

Source distribution

  • security-hub.ncsc.admin.ch2 (14%)
  • cisa.gov1 (7%)
  • docu.ilias.de1 (7%)
  • helpnetsecurity.com1 (7%)
  • industrialcyber.co1 (7%)
  • jpcert.or.jp1 (7%)
  • nozominetworks.com1 (7%)
  • sec.cloudapps.cisco.com1 (7%)
  • other5 (36%)

Related entities

All cited sources (14)

Entries about Apex2 (6)

2026-07-09 · view entry permalink →

NOTABLE

Nozomi documents two new Golang IoT/Linux DDoS botnets (Apex2, c2c/meow) built for speed and reuse over sophistication

Nozomi Networks Labs' AI-assisted honeypot triage flagged two Golang-based DDoS botnet samples this spring that stand out from the routine volume of Mirai-derived variants: Apex2 and c2c (distributed under the filename "meow") (Nozomi Networks Labs, 2026-07-06). Apex2 is a direct structural evolution of the earlier Apex botnet: infection begins with Telnet connections and credential brute-forcing, followed by download-and-execute of the Golang payload, which registers with its C2 over a plaintext protocol (host OS/architecture) and ships builds for Linux (arm, arm64, mipsle, ppc64) and Windows (386, amd64). Its named flood commands include cf (an HTTP(S) flood specifically tuned to bypass Cloudflare via randomized User-Agent lists and long keep-alive timeouts), udp/pps, discord/game UDP floods, and three TLS-flood variants (tls, tlsplus, tlsplusbypass). c2c/meow is architecturally simpler — a Golang flooder with no built-in propagation (a separate SSH scanner handles brute-forcing and delivery) that authenticates to a hardcoded C2 over plaintext JSON-over-TCP, checks for passwordless sudo (sudo -n true) to self-escalate, then persists by copying itself to /usr/local/bin/cpufreqd and registering a fake systemd unit masquerading as a "CPU Frequency Daemon" — supporting ten flood-module types (icmp, dnsudp, udp, http, directhttp, fasthttp, betterhttp, tcp, tcphandshake, dnstcp).

Nozomi's stated point for defenders is that neither family is sophisticated — both lean on commodity Golang tooling, weak/default credentials and exposed Telnet/SSH interfaces rather than novel exploitation — and that the lack of sophistication does not reduce the risk at scale, because the build-and-deploy cycle for such botnets is getting faster. ATT&CK mapping: T1110 Brute Force (Telnet/SSH), T1105 Ingress Tool Transfer, T1548.003 Abuse Elevation Control Mechanism: Sudo (c2c's passwordless-sudo self-escalation), T1543.002 Create or Modify System Process: Systemd Service with T1036.005 Masquerading (the fake cpufreqd unit), and T1498 Network Denial of Service for the flood modules.

It checks whether passwordless sudo is available by running sudo -n true and evaluating the return value. If successful, it relaunches itself with increased privileges, copies to /usr/local/bin/cpufreqd, and creates a fake systemd service named "CPU Frequency Daemon"

In both cases, the emphasis is not on sophistication, but on speed, reuse and scalability.

Nozomi Networks Labs 2026-07-06
threat09 Jul 12:33Zsingle-sourceOpen finding ↗

2026-05-28 · view entry permalink →

HIGH

ILIAS LMS — nine fixes shipped 2026-05-27, two critical access-control gaps (CVSS 9.8 + 9.3), NCSC.ch flags SOAP interface as primary unauthenticated attack surface

The ILIAS Security Group released a coordinated nine-issue security update on 2026-05-27 covering the open-source Learning Management System that dominates the CH/DE/AT public-sector e-learning estate: Swiss federal training portals, NATO DEEP ADL, and the majority of Swiss and German university LMS deployments (ILIAS Security Blog, 2026-05-27; NCSC-CH, 2026-05-27; BSI CERT-Bund WID-SEC-2026-1689, 2026-05-27). CVE identifiers were not assigned in the BSI CSAF document; the vendor uses internal MantisBT IDs.

Two issues are rated critical by the vendor. MantisBT 0047787 (CVSS 4.0: 9.8) is a missing access-control check in TileImageUploadHandler; an attacker with network access to the upload endpoint can write arbitrary files, bypassing authentication entirely — the textbook prerequisite for arbitrary file write to RCE on a PHP application. MantisBT 0047691 (CVSS 4.0: 9.3) is a post-auth SQL injection in the MyStaff module. Companion high-severity findings: MantisBT 0047581 (CVSS 8.7) — broken access-control in the SOAP interface permitting unauthenticated SOAP calls; MantisBT 0047472 (CVSS 7.1) — SQL injection reachable via the SOAP API; MantisBT 0047770 (CVSS 8.5) and 0047778 (CVSS 8.1) — sort-field and SCORM2004-module SQLi paths; MantisBT 0047258 — unauthorized SOAP function calls.

Why it matters to us: ILIAS is mission-critical for Swiss federal civil-servant training and Swiss/DACH academic certification — a compromise of the LMS exposes course content, learner PII, certification records, and any HR/IDP integration on the SOAP interface. NCSC.ch's recommended interim mitigation is to disable the SOAP interface on any deployment that does not require it for enterprise HR / SIS integration. Patched branches: 9.20, 10.8, 11.1. Detection concepts: monitor web-server access logs for POSTs to TileImageUploadHandler without a valid session cookie; flag any request to /ilias.php?baseClass=ilSOAPExplorer or the SOAP WSDL endpoint from non-internal source IPs. Hardening: AppArmor/SELinux profile constraining php-fpm writeable paths to content directories; reverse-proxy ACL blocking external access to /webservice/soap/ until patched.

threat28 May 05:00Zmulti-sourceOpen finding ↗

2026-05-22 · view entry permalink →

CVE-2026-20223 — Cisco Secure Workload: CVSS 10.0 zero-auth REST API grants Site Admin privileges across all tenants, no workaround

CVE-2026-20223 (CVSS 10.0, AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) is an access validation failure in the internal REST API of Cisco Secure Workload (formerly Tetration), the enterprise micro-segmentation platform (Cisco PSIRT, 2026-05-20). An unauthenticated remote attacker sends a single crafted HTTP request to an internal API endpoint to be granted Site Admin-level privileges — enabling cross-tenant data read, configuration modification, and full visibility over workload segmentation policy across all tenant boundaries. Both SaaS-hosted and on-premises deployments are affected; Cisco silently patched SaaS. On-premises operators must upgrade: 4.0.x → 4.0.3.17; 3.10.x → 3.10.8.3; 3.9 and earlier must migrate (no fix available). No workaround exists. Cisco found no evidence of exploitation at disclosure (2026-05-20); the vulnerability was discovered internally. NCSC-CH flagged this on 2026-05-21. The attack surface is the internal REST API management plane — restrict untrusted network access to the Secure Workload cluster API as the primary compensating control until patching is complete. Technique: T1190 Exploit Public-Facing Application. This is distinct from CVE-2026-20182 (Cisco Catalyst SD-WAN) covered on 2026-05-20.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-34926 Trend Micro Apex One On-Premise 6.7 n/a Yes (2026-05-21) Yes (ITW) Build 17079 Trend Micro
CVE-2025-34291 Langflow AI Platform 9.4 (v4) / 8.8 (v3) n/a Yes (2026-05-21) Yes (ITW since Jan 2026) >= 1.7.0 / 1.9.3 CISA KEV
CVE-2026-20223 Cisco Secure Workload 10.0 n/a No No (disclosed internally) 3.10.8.3 / 4.0.3.17 Cisco PSIRT
vulnerability22 May 05:00Zmulti-sourceOpen finding ↗

2026-05-22 · view entry permalink →

CRITICALCVE-2026-34926exploited

CVE-2026-34926 — Trend Micro Apex One On-Premise: post-auth directory traversal by admin-credential holder injects code deployed fleet-wide to all managed agents (CISA KEV, ITW)

CVE-2026-34926 (CVSS 6.7, CWE-23 Relative Path Traversal) affects Apex One On-Premise server and agent builds below 17079. An authenticated attacker who has already obtained administrative credentials to the Apex One management server traverses the directory structure to modify a key table, injecting malicious code that the management server then distributes to all enrolled agent endpoints via the product's built-in update mechanism — one compromised management console results in fleet-wide code execution on every managed endpoint. The exploitation prerequisite (admin credentials to the Apex One server) does not reduce urgency: CISA added CVE-2026-34926 to KEV on 2026-05-21 following confirmed ITW exploitation, and management server admin accounts are a high-value target for credential theft campaigns. JPCERT/CC confirmed exploitation in the wild on 2026-05-22; CISA added CVE-2026-34926 to KEV on 2026-05-21. Fixed: server and agent build 17079 per Trend Micro KA-0023430. The Apex One as a Service (SaaS) variant is not affected. Until patched, restrict local-network access to the Apex One management console to a dedicated management VLAN; treat the console host as Tier-0 infrastructure given its fleet-wide code distribution capability. Technique: T1574 Hijack Execution Flow via trusted software update path.

Trend Micro Incorporated has reported that attacks exploiting the relative path traversal vulnerability in TrendAI Apex One(On Premise) (CVE-2026-34926) have been observed in the wild.

JPCERT/CC

a potential attacker must have access to the Apex One Server and already obtained administrative credentials to the server via some other method to exploit this vulnerability.

HKCERT
vulnerability22 May 05:00Zmulti-sourceOpen finding ↗

2026-05-18 · view entry permalink →

HIGH

Verizon 2026 DBIR — vulnerability exploitation is the #1 breach vector for the first time in 19 years; patching cadence regressed

The 19th Data Breach Investigations Report (published 2026-05-19, covering Nov 2024 – Oct 2025) records vulnerability exploitation as the most common initial-access vector at ~31%, overtaking credential abuse (~13%) for the first time in the report's history — Verizon attributes the shift in part to AI-assisted weaponisation compressing the disclosure-to-exploit window. The operationally relevant findings for a public-sector SOC are the defensive regressions, not the headline: the median time to fully patch slipped to ~43 days (from ~32), and organisations remediated only ~26% of CISA KEV-listed vulnerabilities (down from ~38%) against ~50% more critical bugs than the prior dataset. Third-party involvement in breaches rose to ~48% of incidents. These are the precise gaps this week's actively-exploited CVEs (Drupal, Apex One, Langflow, Defender) target; under NIS2 Art. 21(2)(e) the patching-process regression is also a supervisory-audit exposure. "Shadow AI" (unapproved AI tooling) emerged as a notable data-loss action — scope DLP and data-classification controls to LLM upload endpoints.

annual-report18 May 05:00Zmulti-sourceOpen finding ↗

2026-05-18 · view entry permalink →

HIGHexploited

Two CISA KEV additions under active exploitation — Trend Micro Apex One and Langflow

If you did nothing this week: if you run Apex One On-Premise, your endpoint-management server can push attacker code to every managed agent; if you run Langflow, a cross-origin request can steal a session. CISA added both to KEV on 2026-05-21 with confirmed in-the-wild exploitation.

CVE-2026-34926 (Apex One On-Premise, CVSS 6.7) is a post-auth relative-path-traversal flaw in builds below 17079 that lets an admin-credential holder inject code which the management server then deploys fleet-wide to all managed agents — turning the security console into a malware distribution point; JPCERT/CC issued at260014 corroborating. CVE-2025-34291 (Langflow ≤ 1.6.9, CVSS 9.4) is an overly-permissive CORS configuration combined with a SameSite=None refresh token that enables cross-origin token theft, exploited by the Flodric botnet. Patch both; for Apex One, restrict management-console access and audit agent-deployment jobs for unexpected packages.

synthesis18 May 05:00Zmulti-sourceOpen finding ↗