Hackers Abuse KnowledgeDeliver LMS Flaw to Install BLUEBEAM Web Shell

Mandiant/Google Threat Intelligence observed active exploitation of CVE-2026-5426 in KnowledgeDeliver LMS instances using a shared, hardcoded ASP.NET machineKey to craft malicious ViewState payloads, enabling unauthenticated RCE; intruders deployed the BLUEBEAM (Godzilla) .NET in-memory web shell in the IIS worker process, modified permissions and web files, and used a fake plugin to deliver Cobalt Strike payloads. The report provides an IOC (SHA-256 for LoadLibrary.dll), recommends rotating machine keys, monitoring Event ID 1316 and w3wp.exe activity, and restricting access and file integrity monitoring to mitigate risk.