logo

Critical Laravel Livewire RCE Flaw Exploited to Steal Credentials From 6,000+ Apps

ID: 2e2a7208-470a-565b-a433-96733b5abf8a

STIX ID: report--2e2a7208-470a-565b-a433-96733b5abf8a

Feed Name: Cyber Press

Threat Score
88/100

Date Published: 2026-06-24

Date Updated: 2026-06-24

Author: Lucas Martin

...
...

A widespread campaign exploited a critical unauthenticated RCE in Laravel Livewire v3 (CVE-2025-54068) to deliver a 5,269-byte Bash credential stealer ('shoc.enz') across more than 6,167 applications, harvesting millions of credentials and secrets (database passwords, Stripe keys, AWS IAM credentials, SMTP passwords, JWT secrets, and email lists). The report details exploitation via PHP object deserialization using PHPGGC gadget chains, attacker infrastructure (C2 domain xantibot.pw, FTP server 47.129.100.149, Telegram handle @ashtarotz, and GoFile exfiltration), provides IOCs and remediation recommendations (upgrade Livewire to v3.6.4+, rotate keys, block outbound FTP), and attributes the activity to a likely Indonesian-origin cybercriminal operator.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.