{"id":128020,"date":"2025-11-12T22:47:23","date_gmt":"2025-11-12T17:17:23","guid":{"rendered":"https:\/\/www.techworm.net\/?p=128020"},"modified":"2025-11-12T22:47:23","modified_gmt":"2025-11-12T17:17:23","slug":"hackers-exploit-triofox-bug-to-install-remote-access-tools","status":"publish","type":"post","link":"https:\/\/www.techworm.net\/2025\/11\/hackers-exploit-triofox-bug-to-install-remote-access-tools.html","title":{"rendered":"Hackers Exploit Triofox Bug To Install Remote Access Tools"},"content":{"rendered":"

Cybersecurity researchers at Google\u2019s Mandiant Threat Defense have uncovered active exploitation of\u00a0an unauthenticated access vulnerability within Gladinet\u2019s Triofox platform \u2014 a tool businesses use for secure file sharing and remote access.<\/p>\n

The critical bug, tracked as CVE-2025-12480 (CVSS score: 9.1), allows attackers to bypass authentication, access internal setup pages, and execute malicious code on affected systems. While Gladinet released a patch back in June 2025, Mandiant says threat actors were seen exploiting unpatched servers as recently as August 2025.<\/p>\n

A Clever Exploit Chain<\/strong><\/p>\n

According to Mandiant, the threat group behind the attacks, tracked as UNC6485, took advantage of the flaw to create a new native admin account called \u201cCluster Admin<\/em>,\u201d gaining full system privileges. From there, they abused Triofox\u2019s own built-in antivirus feature \u2014 normally designed to protect systems \u2014 to run malicious code with SYSTEM<\/em>-level privileges.<\/p>\n

“To achieve code execution, the attacker logged in using the newly created Admin account. The attacker uploaded malicious files to execute them using the built-in antivirus feature,” security researchers Stallone D’Souza, Praveeth D’Souza, Bill Glynn, Kevin O’Flynn, and Yash Gupta wrote in a blog post<\/a>.<\/p>\n

“To set up the antivirus feature, the user is allowed to provide an arbitrary path for the selected anti-virus. The file configured as the antivirus scanner location inherits the Triofox parent process account privileges, running under the context of the SYSTEM account.”<\/p>\n

By reconfiguring the antivirus path to point to their own script, execute it automatically, giving them deep control over the host system. The malicious script, called centre_report.bat<\/em>, downloaded from a remote IP (84.200.80[.]252) and installed a legitimate Zoho Unified Endpoint Management System (UEMS) package. Using that installer, hackers then deployed Zoho Assist and AnyDesk \u2014 popular remote access tools that let them take full remote control of the compromised servers.<\/p>\n

What The Hackers Did Next<\/strong><\/p>\n

Once the hackers had administrative control, the attackers used Zoho Assist to perform reconnaissance, change user passwords, and add existing accounts to local and domain administrator groups to expand their access. To maintain access, they also deployed Plink and PuTTY \u2014 two legitimate SSH networking tools \u2014 to create an encrypted tunnel that allowed covert Remote Desktop (RDP) access over port 433.<\/p>\n

This method effectively masked their communication with command-and-control (C2 or C&C) servers, making detection more difficult for defenders.<\/p>\n

Patching And Recommendations <\/strong><\/p>\n

Gladinet has already fixed the flaw in Triofox version 16.7.10368.56560 on July 26, but Mandiant urges users to upgrade immediately to the latest available release if they haven\u2019t already. The firm also recommends that system administrators:<\/p>\n