New CTI Labs: BadSuccessor: Offensive and Defensive
Two days ago, Akamai released a technical research blog post detailing a privilege escalation vulnerability in Windows Server 2025. This vulnerability abuses delegated Managed Service Accounts (dMSAs), and with the right base permissions, it could allow a user to gain domain admin permissions or even dump the NTLM hashes for all users in the domain. There is no patch available, and this would be considered a public zero-day. Why are these labs important? Many organisations use a Windows Domain to manage their users and accounts. This newly announced zero-day has no patch and no known detections in SIEMs. A combination of these labs will allow organisations to identify any potentially weak configurations vulnerable to exploitation and how to threat hunt in a SIEM to identify signs of exploitation. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Pentesters / Red Teams Here is the link to the analysis lab: BadSuccessor – Offensive BadSuccessor – DefensiveNew CTI Lab: Sandworm Campaign: ZEROLOT Wiper
ESET released a new APT threat report today, and amongst the information was a new malware wiper used to attack critical national infrastructure. However, this malware has not been reported on at all. It has been successfully deployed amongst many organizations, but no analysis has been released. Therefore, we are releasing a SIEM analysis to help our customers create threat detections for this destructive malware. The threat actor in question is Sandworm Team, a state-sponsored APT group that has been active since at least 2009. Known for highly destructive cyber campaigns, the group has targeted critical infrastructure. In this lab, you'll be exposed to one of Sandworm's latest campaigns, where they use remote management tools to facilitate the deployment of a new wiper, Zerolot. Why is this lab important? Many of our customers have asked for an analysis of wiper malware, and the destructive nature of this malware worries organizations around the world. This new strain, which has been deployed numerous times successfully since December 2024, needs effective threat detection to ensure security teams are prepared for this threat. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the analysis lab: Sandworm Campaign: ZEROLOT WiperNew CTI Labs: Threat Actors Akira and DragonForce
These labs will highlight the background and TTPs of Akira, a highly prolific threat actor with indiscriminate targeting, and DragonForce, a ransomware actor recently in the news, connected to the attacks on M&S, Co-op, and Harrods. Why are these labs important? Akira is one of the most prolific threat actors that does not discriminate in its targeting. It often targets medium to large enterprises worldwide, with a strong focus on North America and Europe, including the UK. This means that no one is exempt from Akira's targeting in the future, so knowing your TTPs and how to prepare for attacks from threat actors is paramount to keeping your organization safe. Throughout late April 2025, DragonForce has been all over the news since they claimed responsibility for being involved in the attacks against Marks and Spencer, Co-Op, and Harrods in the UK. The information in the labs reflects DragonForce's latest known TTPs and helps customers to stay one step ahead of actors like DragonForce. Who are these labs for? These labs deliver the latest information relating to threat actors and their TTPs. The personas who would benefit the most from these labs are: Cyber Threat Intelligence Analysts SOC Analysts Incident Responders Threat Hunters Here are the links to the labs: Threat Actors: Akira Ransomware Groups: DragonForceLabs Live
This event has now ended. You can watch the recording here. Ever felt totally stuck with a lab? Getting frustrated? Maybe you could have used the helpful guidance of an expert? Introducing Labs Live, a groundbreaking community webinar series from Immersive! For the first time, we're bringing you live, interactive lab sessions led by seasoned professionals. In each Labs Live webinar, you'll collaborate directly with an expert as they navigate a challenging lab. They'll share their techniques, answer your questions, and together, you might even discover new insights. This isn't just a demonstration; it's a hands-on learning experience.Don't miss out on this unique opportunity to elevate your cyber skills. Our very first Labs Live session will be hosted by KevBreen Senior Director of Cyber Threat Research, as he tackles the latest Cyber Threat Intelligence Lab. Join him on April 25th to solve it together!New CTI Lab: CVE-2025-35433 (Erlang SSH): Offensive
On April 16, 2025, a critical vulnerability, identified as CVE-2025-32433, was disclosed in the Erlang/OTP SSH server. This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by sending specially crafted SSH messages before authentication. After these messages have been sent, attackers have code execution on the victim machine. This lab will walk you through the mechanics of this vulnerability, helping you understand its implications and learn how an attacker could exploit it. Why is this lab important? Given Erlang's widespread use in telecommunications, IoT, and distributed systems, this vulnerability poses a significant risk to victims in multiple sectors and industries. Customers using Erlang should assess its vulnerability status and patch as soon as practicable. Who is this lab for? This lab is an offensive CTI lab, so it primarily benefits penetration testers and red teamers. That said, it's still incredibly valuable for defensive personas as well, so they can see how the attack could work. These personas include: SOC Analysts Incident Responders Threat Hunters Here is the link to the lab: https://iml.immersivelabs.online/v2/labs/cve-2025-35433-erlang-ssh-offensiveOperational CTI: Lessons from the Attacks That Didn’t Target You
Watch the recording from this event here ⬇️ Many organizations overlook vulnerabilities and attack campaigns that don’t directly impact them. While this makes sense for risk prioritization, studying these threats can reveal valuable insights that improve your defensive posture and technical skills. In this webinar, we’ll take you through a technical analysis of a recent malicious campaign and explore how analyzing adversary techniques — even those that haven’t targeted your organization — can uncover hidden gaps in your security strategy and enhance your ability to detect and mitigate future threats. Key Takeaways Threat Awareness Beyond Your Scope – Understanding attack campaigns that don’t directly affect your organization can still provide critical insights into evolving threat landscapes. Improving Defensive Posture – Learning from other attacks helps identify weaknesses in your own security strategy before they become exploited. Expanding Technical Knowledge – Deep-diving into attack techniques and vulnerabilities sharpens your ability to detect and mitigate sophisticated threats. Proactive Security Mindset – Adopting a proactive rather than reactive approach can help organizations stay ahead of adversaries, even if they’re not immediate targets. Applying Lessons Practically – Insights from external threats can shape better incident response plans, detection rules, and security skills.Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.New CTI Labs: CVE-2025-31161 (CrushFTP): Defensive and CVE-2025-31161 (CrushFTP): Offensive
On the 7th April 2025, a vulnerability in the CrushFTP was added to the CISA Kev Catalogue, CrushFTP is an enterprise FTP solution with tens of thousands of instances publicly accessible online. Recent reporting has confirmed that since a proof-of-concept dropped, there has been an uptick in this vulnerability being exploited in the wild. Successful exploitation of this critical vulnerability allows attackers to achieve code execution, file upload, and download, as well as create backdoor accounts. Why should our customers care? As a critical vulnerability with a CVSS base score of 9.8, with no user interaction required, this vulnerability represents a significant impact to customers using CrushFTP or other, similar file transfer solutions. The addition of vulnerabilities to the CISA KEV catalog shows how serious it is and how important it is to patch against the vulnerability, given that the attacker could upload files, achieve persistently, and backdoors onto the server. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Penetration Testers System Administrators Here are the links to the labs: CVE-2025-31161 (CrushFTP): Offensive CVE-2025-31161 (CrushFTP): Defensive In addition, we've released a proof-of-concept script to demonstrate how an attacker could exploit this vulnerability: https://github.com/Immersive-Labs-Sec/CVE-2025-31161New CTI Labs: Water Gamayun: (CVE-2025-26633) Campaign Analysis
Water Gamayun, also known as EncryptHub and Larva-208, is a threat actor (suspected to be of Russian origin) that has been observed exploiting a zero-day vulnerability in the Microsoft Management Console (MMC). This vulnerability has been dubbed MSC EvilTwin and assigned CVE-2025-26633. This lab takes you through the campaign, explaining how the vulnerability works to allow the attacker to silently execute malicious code, and what actions on objective the threat actor performs. Why should our customers care? EncryptHub has been reported to have breached over 618 organizations to deploy StealC, SilentPrism, and ransomware for the purposes of maintaining persistence, stealing data, and causing severe operational disruption; therefore, our customers should be mindful of this threat actor and their tactics. Their use of a zero day vulnerability shows how standard Windows configurations can be abused by threat actors to silently transport this malware into a victims environment to allow attackers to fulfil their operational objectives. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the campaign analysis lab: https://immersivelabs.online/labs/water-gamayun-campaign-analysisReverse Engineering SmokeLoader: An In-Depth Analysis (Part 3)
The previous blog entry covered how SmokeLoader uses various obfuscation techniques to slow reverse engineers down. We also identified yet another shellcode being allocated to a memory region, which we then dumped and analysed. In this blog entry, we’ll try to identify some of the key API functions the malware employs through dynamic API resolution to allocate memory, store shellcode, and deceive analysts. This third stage uses techniques similar to those used before – dynamic API resolution – but this time, the APIs are declared on the stack as their names and don’t go through API hashing. A number of APIs are executed with GetProcAddress for the malware to dynamically resolve functionality. These APIs are: LoadLibraryA(“Kerne32.dll”) GetProcAddress(“VirtualAlloc”) GetProcAddress(“VirtualProtect”) GetProcAddress(“VirtualFree”) GetProcAddress(“GetVersionExA”) GetProcAddress(“TerminateProcess”) GetProcAddress(“ExitProcess”) GetProcAddress(“SetErrorMode”) Then we came up against an issue. The malware only wants to run on a specific version of Windows – we think it was made for Server versions. The Windows API, GetVersionExW, has its return values compared to a very specific version. So when we run this program, it causes an exception as we weren't on the correct Windows version. To get around this for now, we had to set the ZF flag in x32dbg to jump over the code that caused the exception. This is necessary, or the memory address in EAX will cause an exception two lines later. Taking another look at the function, we found another jmp eax! We then performed the same process of setting a breakpoint, executing until that point, and then dumping the memory. Conclusion The third part of our SmokeLoader analysis explored dynamic API resolution, and we found another layer of shellcode in memory to dump. By this point, it was clear that SmokeLoader had multiple layers of shellcode inside it, with layers of obfuscation to slow down reverse engineers. During our analysis, we came across a number of these issues relating to control flow obfuscation. Trying to jump to certain instructions to identify shellcode gave us the EXCEPTION_ACCESS_VOILATION error. The final blog post of this series will discuss this exception more closely, describe how to defeat it and look at some indicators of compromise you can identify in the later stages of reverse engineering.
