Detects and Mitigates Rejetto HFS Spray-and-Pray Ransomware/Trojan Campaign

    Monday, August 11, 2025 In: Threat Research Print

    Date: 08/11/2025

    Severity: Medium

    Summary

    On July 19, researchers detected a surge of HTTP probes aimed at Rejetto HTTP File Server (HFS) 2.x systems, revealing a coordinated spray‑and‑pray campaign exploiting a critical unauthenticated server‑side template injection (SSTI) vulnerability (CVE‑2024‑23692, CVSS 9.8) that permits arbitrary command execution via a single crafted request.

    Indicators of Compromise (IOC) List 

    URL/Domain

    www.sgke.cc

    http://151.242.152.91/11.exe

    http://151.242.152.91/QBuumdHTX.exe

    http://151.242.152.91/qbuumdhtx.exe

    http://151.242.152.91/setup.exe

    http://154.219.123.25/HttpFileServer.exe

    http://154.219.123.25/httpfileserver.exe

    http://45.204.221.103/setup1.exe

    http://45.204.221.103:7541/setup1.exe

    IP Address

    154.219.123.25

    45.204.217.177

    45.204.217.177

    43.250.174.250

    43.225.58.92

    Hash

    d3b595483589b90f37422d8cc6d06b72d2bb1976dfddc83d44722c6ba0ca6d79

    b84d55d8b37a1296a62af298b71f66fddb3ec6042161c5b2c9acd94f2c334c8c

    e82431c866c8c1d5cf26e627599cb87ed8929b580ccace973e7b32aa2bc13533

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    domainname like "http://154.219.123.25/HttpFileServer.exe" or siteurl like "http://154.219.123.25/HttpFileServer.exe" or url like "http://154.219.123.25/HttpFileServer.exe" or domainname like "http://45.204.221.103/setup1.exe" or siteurl like "http://45.204.221.103/setup1.exe" or url like "http://45.204.221.103/setup1.exe" or domainname like "http://151.242.152.91/11.exe" or siteurl like "http://151.242.152.91/11.exe" or url like "http://151.242.152.91/11.exe" or domainname like "http://151.242.152.91/setup.exe" or siteurl like "http://151.242.152.91/setup.exe" or url like "http://151.242.152.91/setup.exe" or domainname like "http://151.242.152.91/QBuumdHTX.exe" or siteurl like "http://151.242.152.91/QBuumdHTX.exe" or url like "http://151.242.152.91/QBuumdHTX.exe" or domainname like "http://151.242.152.91/qbuumdhtx.exe" or siteurl like "http://151.242.152.91/qbuumdhtx.exe" or url like "http://151.242.152.91/qbuumdhtx.exe" or domainname like "http://154.219.123.25/httpfileserver.exe" or siteurl like "http://154.219.123.25/httpfileserver.exe" or url like "http://154.219.123.25/httpfileserver.exe" or domainname like "http://45.204.221.103:7541/setup1.exe" or siteurl like "http://45.204.221.103:7541/setup1.exe" or url like "http://45.204.221.103:7541/setup1.exe" or domainname like "www.sgke.cc" or siteurl like "www.sgke.cc" or url like "www.sgke.cc"

    Detection Query 2 : 

    dstipaddress IN ("45.204.217.177","43.250.174.250","154.219.123.25") or srcipaddress IN ("45.204.217.177","43.250.174.250","154.219.123.25")

    Detection Query 3 :

    sha256hash IN ("e82431c866c8c1d5cf26e627599cb87ed8929b580ccace973e7b32aa2bc13533","d3b595483589b90f37422d8cc6d06b72d2bb1976dfddc83d44722c6ba0ca6d79","b84d55d8b37a1296a62af298b71f66fddb3ec6042161c5b2c9acd94f2c334c8c")

    Reference:    

    https://www.imperva.com/blog/imperva-detects-and-mitigates-rejetto-hfs-spray-and-pray-ransomware-trojan-campaign/


    Tags

    MalwareVulnerabilityRansomwareTrojanCVE - 2024ExploitSpray-and-Pray

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.