Mandiant investigated a late-2025 compromise of KnowledgeDeliver, a Japanese Learning Management System built on ASP.NET. The root cause was CVE-2026-5426: the vendor shipped identical hardcoded ASP.NET machineKey values in all customer deployments, enabling unauthenticated RCE via crafted ViewState payloads. After gaining access, the threat actor deployed the BLUEBEAM (Godzilla) in-memory web shell inside the IIS worker process, modified JavaScript files to display fake security alerts, and ultimately infected end-user workstations with Cobalt Strike BEACON. Detection guidance covers Windows Event ID 1316, suspicious w3wp.exe child processes, file integrity monitoring, and anomalous concatenated User-Agent strings. Remediation requires immediately rotating machine keys to unique values per deployment.
Table of contents
Post-Exploitation ActivityHow to Hunt for This ActivityRemediation and MitigationOutlook and ImplicationsIndicators of Compromise (IOCs)Sort: