A multi-stage intrusion attack where a threat actor exploited an internet-facing F5 BIG-IP edge appliance as the entry point for a widespread, identity-focused attack that ultimately accessed Active Directory.
According to Microsoft’s Defender Security Research, the attack reflects a growing trend in which firewalls, VPN gateways, and load balancer devices traditionally deployed as security boundaries are being repurposed as initial access points.
Because edge appliances are externally exposed, lightly monitored, and highly trusted inside enterprise environments, a single compromise can hand attackers a durable, low-visibility foothold along with stored credentials, certificates, and identity integrations.
Initial Access Through an End-of-Life F5 BIG-IP
The threat actor established SSH access to the first Linux host from a network device identified as an F5 BIG-IP load balancer. Device inventory pinned the source to an Azure-hosted BIG-IP Virtual Edition appliance running version 15.1.201000, a build commonly deployed through Azure ARM templates and Terraform modules that reached end-of-life on December 31, 2024.
The actor authenticated to the Linux server over SSH using a privileged account and maintained hands-on keyboard access throughout the operation without deploying explicit persistence mechanisms, highlighting the danger posed by over-privileged identities with sudo rights.
Once on the host, the attacker conducted aggressive reconnaissance. Using a shell script, they ran horizontal Nmap scans across internal subnets to enumerate live hosts, followed by deeper vertical scans to identify open services.
The tool gowitness was then used to capture screenshots and fingerprint exposed HTTP/HTTPS services via a SOCKS5 proxy.
Where Windows servers were discovered, the actor attempted NTLM-based lateral movement using a familiar open-source toolkit, including enum4linux, netexec, smbclient, rpcclient, timeroast, ldapsearch, kerbrute, and responder, though these initial attempts failed.
The actor then pulled a custom scanning tool from the C2 server 206.189.27[.]39 over wget, flagged by Microsoft as HackTool:Linux/MalPack.B, which probed the organization’s web applications and mobile services (including Firebase and GCM) to enumerate access controls.
Reconnaissance surfaced an internal Atlassian Confluence server carrying unpatched vulnerabilities, which the attacker exploited for remote code execution. Notably, Confluence was not internet-facing, yet it became reachable once the attacker held an internal foothold.
Because real-time protection blocked repeated payload drops, the actor pivoted: assuming network-level blocking, they spun up an anonymous FTP server on the Linux staging host using Python’s ftplib and transferred the tool via curl into /dev/shm.
After compromising Confluence, the attacker harvested credentials from configuration files, including server.xml and confluence.cfg.xml, then turned those credentials against Windows infrastructure.
This escalated into Kerberos relay attacks and exploitation of CVE-2025-33073, using netexec with PetitPotam coercion and DNS manipulation tooling to target a domain controller.
Microsoft notes the intrusion shows how a single RCE in a perimeter-adjacent web component can cascade into identity compromise in an entirely separate application, crossing platform and trust boundaries, and that attackers need not be sophisticated, only persistent, where patching and monitoring gaps exist across a hybrid estate.
Microsoft Defender for Endpoint detected the activity, blocking the ELF payload on the one Confluence host where real-time protection was enabled.
The company recommends treating internet-facing edge appliances as Tier-0 assets with strict lifecycle and patch governance, hardening internal web apps with the same urgency as external services, applying identity hardening and disabling NTLM where possible, enforcing SMB and LDAP signing, and enabling Extended Protection for Authentication to blunt relay-style attacks.
Key indicators include the C2 address 206.189.27[.]39 and file hashes for the custom scanner, Kerbrute, gowitness, and an NTLM relay script. Microsoft also published advanced hunting queries to surface SSH logons originating from F5 BIG-IP devices and credential access from Confluence processes.
Indicators of compromise (IOC)
| Indicator | Type | Description |
| 4a927d031919fd6bd88d3c8a917214b54bca00f8ddc80ecfe4d230663dda7465 | File hash | Custom scanning tool |
| b4592cea69699b2c0737d4e19cff7dca17b5baf5a238cd6da950a37e9986f216 | File hash | Shell script to automate network scanning using Nmap |
| 710a9d2653c8bd3689e451778dab9daec0de4c4c75f900788ccf23ef254b122a | File hash | Kerbrute tool |
| 57b3188e24782c27fdf72493ce599537efd3187d03b80f8afe733c72d68c5517 | File hash | gowitness scanner |
| bdd5da81ac34d9faa2a5118d4ed8f492239734be02146cd24a0e34270a48a455 | File hash | NTLM relay Python script |
| 206.189.27[.]39 | IPv4 address | C2 server |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
