File timestamps preserved inside a 9.1GB archive found on a Chinese threat actor's staging server let us reconstruct a complete intrusion: WordPress web shell to DirtyPipe container escape, socat tunnelling, fscan credential spray across 164 government machines, and 754MB of internal GitLab source code — all in eight weeks.
grep -rl "gdf" ./posts
#gdf
2 matches
A Shodan hit on an Alibaba Cloud Singapore IP leads to a 9.1GB archive that turns out to be an attacker's working directory from inside a compromised Brazilian government server — containing a DirtyPipe exploit, fscan lateral movement results across the GDF internal network, 164 confirmed credential compromises, and 754MB of exfiltrated GitLab source code.