Critical Laravel Livewire RCE Flaw Exploited to Steal Credentials From 6,000+ Apps
ID: 2e2a7208-470a-565b-a433-96733b5abf8a
STIX ID: report--2e2a7208-470a-565b-a433-96733b5abf8a
Feed Name: Cyber Press
A widespread campaign exploited a critical unauthenticated RCE in Laravel Livewire v3 (CVE-2025-54068) to deliver a 5,269-byte Bash credential stealer ('shoc.enz') across more than 6,167 applications, harvesting millions of credentials and secrets (database passwords, Stripe keys, AWS IAM credentials, SMTP passwords, JWT secrets, and email lists). The report details exploitation via PHP object deserialization using PHPGGC gadget chains, attacker infrastructure (C2 domain xantibot.pw, FTP server 47.129.100.149, Telegram handle @ashtarotz, and GoFile exfiltration), provides IOCs and remediation recommendations (upgrade Livewire to v3.6.4+, rotate keys, block outbound FTP), and attributes the activity to a likely Indonesian-origin cybercriminal operator.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
