New CTI Lab: CVE-2025-35433 (Erlang SSH): Offensive
On April 16, 2025, a critical vulnerability, identified as CVE-2025-32433, was disclosed in the Erlang/OTP SSH server. This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by sending specially crafted SSH messages before authentication. After these messages have been sent, attackers have code execution on the victim machine. This lab will walk you through the mechanics of this vulnerability, helping you understand its implications and learn how an attacker could exploit it. Why is this lab important? Given Erlang's widespread use in telecommunications, IoT, and distributed systems, this vulnerability poses a significant risk to victims in multiple sectors and industries. Customers using Erlang should assess its vulnerability status and patch as soon as practicable. Who is this lab for? This lab is an offensive CTI lab, so it primarily benefits penetration testers and red teamers. That said, it's still incredibly valuable for defensive personas as well, so they can see how the attack could work. These personas include: SOC Analysts Incident Responders Threat Hunters Here is the link to the lab: https://iml.immersivelabs.online/v2/labs/cve-2025-35433-erlang-ssh-offensiveNew CTI Labs: CVE-2025-31161 (CrushFTP): Defensive and CVE-2025-31161 (CrushFTP): Offensive
On the 7th April 2025, a vulnerability in the CrushFTP was added to the CISA Kev Catalogue, CrushFTP is an enterprise FTP solution with tens of thousands of instances publicly accessible online. Recent reporting has confirmed that since a proof-of-concept dropped, there has been an uptick in this vulnerability being exploited in the wild. Successful exploitation of this critical vulnerability allows attackers to achieve code execution, file upload, and download, as well as create backdoor accounts. Why should our customers care? As a critical vulnerability with a CVSS base score of 9.8, with no user interaction required, this vulnerability represents a significant impact to customers using CrushFTP or other, similar file transfer solutions. The addition of vulnerabilities to the CISA KEV catalog shows how serious it is and how important it is to patch against the vulnerability, given that the attacker could upload files, achieve persistently, and backdoors onto the server. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Penetration Testers System Administrators Here are the links to the labs: CVE-2025-31161 (CrushFTP): Offensive CVE-2025-31161 (CrushFTP): Defensive In addition, we've released a proof-of-concept script to demonstrate how an attacker could exploit this vulnerability: https://github.com/Immersive-Labs-Sec/CVE-2025-31161New CTI Labs: Water Gamayun: (CVE-2025-26633) Campaign Analysis
Water Gamayun, also known as EncryptHub and Larva-208, is a threat actor (suspected to be of Russian origin) that has been observed exploiting a zero-day vulnerability in the Microsoft Management Console (MMC). This vulnerability has been dubbed MSC EvilTwin and assigned CVE-2025-26633. This lab takes you through the campaign, explaining how the vulnerability works to allow the attacker to silently execute malicious code, and what actions on objective the threat actor performs. Why should our customers care? EncryptHub has been reported to have breached over 618 organizations to deploy StealC, SilentPrism, and ransomware for the purposes of maintaining persistence, stealing data, and causing severe operational disruption; therefore, our customers should be mindful of this threat actor and their tactics. Their use of a zero day vulnerability shows how standard Windows configurations can be abused by threat actors to silently transport this malware into a victims environment to allow attackers to fulfil their operational objectives. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the campaign analysis lab: https://immersivelabs.online/labs/water-gamayun-campaign-analysisNew CTI Labs: Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis & Threat Actors: Salt Typhoon
Salt Typhoon has been a threat actor that has caused a lot of worry for defensive teams all over the world. They are a threat actor group which has been predominately targeting Telecommunication companies. They have been in the media a lot over the past few months for their hacks on telecommunication companies in the US.Immersive were finally able to get access to some of the malware samples, as more get released we shall cover more of the campaigns. Threat Actors: Salt Typhoon This lab takes the user through who Salt Typhoon are, what their techniques, tactics, and procedures are, and who they target. Discussing their previous campaigns in depth and why they are so feared as a group. Salt Typhoon: SNAPPYBEE Campaign Analysis Many of our customers want to learn how salt typhoons operate. This lab shows people how to start hunting for them inside a network, taking our users through the different stages, techniques, and tactics they use and how to identify them for detection. Why should our customers care? Salt Typhoon are a big threat to telecommunication companies around the world. Their main focus is to be in a network and perform cyber espionage without being detected. They largely operate inside networks without being detected for a long time, sometimes even months to a year. Our customers need to proactively understand what this threat is and how to start monitoring for them in their network. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the threat actor lab: https://immersivelabs.online/labs/threat-actors-salt-typhoon Here is the link to the campaign analysis lab: https://immersivelabs.online/v2/labs/salt-typhoon-campaign-analysisNew CTI Lab: CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive
The Zero Day Initiative (ZDI) team at Trend Micro identified the exploitation of a zero-day vulnerability in the 7-ZIP application dubbed CVE-2025-0411, which was used in a SmokeLoader malware campaign targeting eastern European entities. 7zip is used all over the world by individuals and organizations, so it's essential users understand this campaign. CVE-2025-0411 (7-ZIP MoTW bypass) – Defensive CVE-2025-0411 is a Mark-of-the-Web (MoTW) bypass vulnerability that exists within 7 ZIP installations with a version older than 24.09. This vulnerability allows attackers to bypass the MoTW protection mechanism employed by the Windows operating system, designed to warn users after downloading potentially malicious software. Bypassing MoTW for attackers increases the chances of successful phishing attempts, which is one of the largest ways attackers get into organizations. Due to MoTW being bypassed, users are not warned of potential malicious intent if they were to execute files. Because of this, attackers spend a lot of time trying to find different MoTW vulnerabilities and are often patched in Microsoft's patch Tuesdays due to their prevalence. Why should you care? Bypassing security controls is ideal for attackers. If their downloaded files do not get warned against by Windows, then the chances of successful attack chain execution is much higher! Therefore, we created a lab to identify what this attack process looks like for defensive teams and how to identify each stage. The lab teaches you what to look out for when this vulnerability is exploited and how campaigns have used it in the real world. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Here is the link to the 7zip lab: https://immersivelabs.com/labs/cve-2025-0411-7-zip-motw-bypass-defensive Related Labs, designed to give you similar skills: https://immersivelabs.online/series/elasticsearch-threat-hunting-apt29/labs https://immersivelabs.online/series/introduction-to-elastic/labsNew CTI Labs: Zero-day Behaviour: PDF Samples & UAC-0063 Intrusion: SIEM Analysis
Based on the report released by NCSC's CTO, a number of important cyber security developments occurred throughout the past week. We have created two labs on what we thought were interesting parts of the report to align with what NCSC is seeing out in the wild. Zero-day Behaviour: PDF Samples PDFs are used by everyone, and a researcher has found that you can embed commands that will communicate out to attacker-controlled servers – depending on which PDF reader a company has, you can exfiltrate NTLM data to aid in further attacks. PDFs can be used to initial access an attack, such as sending a malicious one via email. Therefore, we have created a lab for defensive teams to analyze what these PDFs look like under the hood and how to identify this newly found behavior. UAC-0063 Intrusion: SIEM Analysis It has been observed that the threat group UAC-0063 has been sending malicious documents around the world, targeting Asia and Eastern Europe in their latest operation. Their aim is cyber espionage and to gather information about governments, NGOs, defense, and academia. With their malware dubbed HATVIBE, they have been seen to use legitimate diplomatic documents with their malicious code embedded inside them. The lab provides an analysis of the attack chain, where our customers will understand what happens when one of the malicious documents is clicked on and what detections can be put in place to detect the attack. Why should our customers care? These two labs are based on information that the NCSC has thought the industry needs to know. Understanding the updated attack techniques of threat groups and new ways to execute commands in PDFs is incredibly important because social engineering is still one of the highest methods of initial access. Therefore, our customers will be able to analyze both these threats to develop detections early or to gain familiarity with how these threats work. Who is it for? Incident responders SOC analyst Malware reverse engineers CTI Analysts Threat Hunters Here is the link to the PDF lab: https://immersivelabs.online/labs/zero-day-behaviour-pdf-samples Here is the link to the UAC-0063 lab: https://immersivelabs.online/labs/uac-0063-siem-analysisNew Team Sim Content: (Defensive) Operation Vulpes
Operation Vulpes is a defensive scenario and marks a return of using Splunk as the SIEM solution. This scenario sees Orchid Corporation reeling from the aftermath of a ransomware attack. Defenders will need to determine the attacker's path to compromise and infect the network and use information provided by a law enforcement agency to attempt to recover files. Users will need to use a variety of tools and defensive disciplines to solve the scenario – not just the SIEM solution. This sim also utilizes our new user noise generation framework to simulate user web browsing activity on end-user devices. This spawns the Edge browser as a domain user and visits internal and external websites to add additional noise to logs collected by Splunk. Why have we created this content? This Team Sim adds a level of complexity and realism by introducing actual ransomware. So you and your teams can exercise and prepare for the worst-case scenario. (Please be aware that Immersive Labs created the ransomware for exercise purposes only and includes failsafes to control its execution.) In addition, the sim uses popular tools within security stacks, so the simulation is true to life. What are we publishing? A new Team Sim exercise, Operation Vulpes, which will be viewable in the Team Sim catalog for all Team Sim customers. Who is this content for? This Team Sim is primarily focused on testing the defensive and technical capabilities of the following roles: SOC analysts Incident responders Threat hunters Check it out now!New CTI Lab: Xworm: Analysis
Xworm is a piece of malware that was first discovered in 2022 being used by threat actors like NullBulge and TA558. Xworm is a remote access trojan (RAT). Attackers deploy it onto compromised machines to steal data, facilitate remote code execution through shell access, and tamper with native security solutions like Microsoft Windows Defender, ready for other malware to be dropped and executed on a machine. Why have we created this content? Xworm is a commodity piece of malware that has been observed in the wild and has previously been observed being sold on hacker forums to opportunistic cybercriminals. Recently, cracked versions of this malware have been leaked to VirusTotal, GitHub, and other repositories. This content provides a unique look into commodity malware, how it's designed, and what to look out for when coming across it. What are we publishing? All customers on a CyberPro License have immediate access to a new lab. Xworm: Analysis Who is this content for? This lab is focused on upskilling and increasing the defensive capabilities of the following roles: Incident Responders Malware Analysts Reverse Engineers SOC Analysts Cyber Threat Intelligence Analysts We are also hosting a webinar! Come and see what we do as a CTI team and how we help cyber teams with their real-world threat preparedness!New CTI Labs: CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive and Defensive
Today, we’ve released two brand-new labs focusing on defending against and exploiting two new vulnerabilities in Palo Alto Firewalls! Learn how to attack a Palo Alto Firewall by exploiting these vulnerabilities, as well as how to identify attack remnants and detect them effectively.
