manage-engine-vulnerability-sector-alert-tlpclear.pdf (257 KB)

Lazarus Group exploited CVE-2022-47966 in Zoho ManageEngine products to target internet backbone infrastructure and healthcare entities in Europe and the United States. After initial access, the actors deployed QuiteRAT, a Qt-based successor to MagicRAT that sends host information to command-and-control servers and executes reconnaissance commands through child cmd.exe processes. The campaign also used CollectionRAT, a remote access tool tied in the report to the Jupiter/EarlyRAT family and an Andariel-linked lineage, with capabilities for arbitrary command execution, metadata gathering, file management, and payload delivery. HC3 highlights the risk to healthcare and public health organizations because the vulnerability enables unauthenticated remote code execution across 24 ManageEngine products when SAML SSO has been enabled.