Google flags KnowledgeDeliver flaw & Chinese phishing surge

Google's threat intelligence teams have disclosed a critical security flaw in the KnowledgeDeliver learning management system and reported a rise in Chinese-language phishing services. The findings point to widening cyber risks for organisations using common web applications and for consumers targeted through mobile messaging scams.

Mandiant investigated a breach involving a compromised web server running KnowledgeDeliver, a learning management system developed by Digital Knowledge and widely used in Japan. It identified a vulnerability, tracked as CVE-2026-5426, that allowed unauthenticated remote code execution through shared ASP.NET machine keys embedded in a standard configuration file.

Installations deployed before a vendor update used identical hardcoded machineKey values across separate customer environments. That meant an attacker who obtained the key from one internet-facing deployment could target others by crafting a malicious ViewState payload and sending it through the VIEWSTATE parameter in an HTTP request.

The investigation found that an unknown threat actor exploited the flaw as a zero-day, then modified the platform to target site visitors. The attacker injected malicious code into a JavaScript file, displayed a fake security alert, and pushed users to install what appeared to be a security authentication plugin.

That led to the delivery of a Cobalt Strike BEACON backdoor to user workstations. The payload was encrypted with a key based on the compromised organisation's name, suggesting the malware had been prepared specifically for that target.

Server access

After gaining access, the attacker also deployed BLUEBEAM, an in-memory .NET web shell also known as Godzilla. Running inside the IIS worker process makes it harder to detect through file-based scanning and allows it to execute additional commands and payloads through encrypted HTTP POST requests.

The actor was also seen changing file permissions with icacls to give "Everyone" full access to the web application directory. Researchers advised organisations to rotate machine keys immediately, ensure each KnowledgeDeliver instance uses a unique cryptographic key, and restrict LMS access where possible to known organisational IP ranges.

Mandiant also listed indicators that could help security teams detect exploitation. These included ASP.NET application log entries under Event ID 1316, suspicious child processes spawned by w3wp.exe such as cmd.exe and powershell.exe, unauthorised changes to JavaScript, ASPX or configuration files, and unusual User-Agent strings in web logs.

The findings add to a broader pattern in which software deployments using shared secrets create a single point of failure across multiple customers. Here, the risk stemmed from a standard vendor-supplied configuration, making the issue relevant beyond a single victim.

Phishing market

Separately, Google Threat Intelligence Group said it had tracked a fast-growing Chinese-language phishing-as-a-service market developing differently from the long-established Russian-speaking ecosystem. The group analysed a dozen current services, many of them mature operations closely linked to a wider criminal marketplace.

Rather than focusing mainly on account credentials, these services have increasingly shifted to real-time interception of one-time passcodes and the use of stolen card details in digital wallets. The aim is often direct control of financial accounts, not simply account access.

Researchers said the operations frequently use Rich Communication Services and Apple's iMessage instead of standard SMS. Because those channels are encrypted, they can be harder for server-side systems to inspect and filter, while features such as read receipts and richer media make fraudulent messages more convincing.

Once a victim clicks a phishing link and enters details, the data appears immediately in an administration panel. That allows the attacker to request the same one-time passcode on their own device and capture the code from the victim before it expires, bypassing multifactor authentication in real time.

Many of the Chinese-language services also now rely on artificial intelligence tools to build phishing pages dynamically. One platform linked to UNC5814, known as Darcula, was described as using AI-generated page creation and browser automation tools such as Puppeteer to clone legitimate websites from a target URL, making each phishing page less predictable for signature-based detection systems.

Japan focus

One case study highlighted by researchers was YY Lai Yu, a phishing service advertised in Chinese-language channels that has focused heavily on Japan while supporting attacks in 119 countries. The service offered more than 400 phishing templates and expanded beyond banking pages to mimic brands and services used in daily life, including eCommerce, transport, gaming and mobile payments.

These lures drew on local habits and pressures, including loyalty point redemption offers and messages tied to electricity subsidy themes. Phishing pages were also often protected by a manual anti-bot screen designed to slow analysis by security vendors.

Providers in this market often operate openly on Telegram and offer related services alongside phishing kits, including stolen personal data, hosting, domain registration, spamming support, money laundering and trading in stolen payment card information. The activity shows how a broader Chinese-speaking criminal ecosystem is enabling less skilled actors to run convincing campaigns at scale.

Google argued that user awareness training remains important, but is no longer enough on its own against phishing systems that intercept passcodes live and turn stolen payment details into tokenised wallet assets. The group pointed to stronger authentication methods such as FIDO2 and WebAuthn, as well as risk-based checks during digital wallet provisioning, as ways to reduce the value of stolen credentials.

Chinese-speaking phishing operators are continuing to update their tools frequently in an effort to extend their global reach across the Americas, Europe, Australia and the Middle East.