Cleo MFT Mass Exploitation Payload Analysis

ARC Labs analyzed a multi-stage intrusion exploiting CVE-2024-50623 against Cleo MFT: a PowerShell downloader retrieves and XOR-decrypts cleo.9261 which runs a start.class that contacts a C2 to download an in-memory secondary JAR; that modular Java payload (multiple classes) provides encrypted C2 communications, remote command execution, file upload/download (including ZIP/recursive traversal), and persistence, with indicators including an observed C2 IP and environment-variable based keys — reports note exploitation may persist despite vendor patches.