From Live Exploitation to Zero-Day Discovery: Investigating Attacks on ***

No ratings

Presented at Black Hat Europe 2025 by

(Sensitive Information is Currently Redacted)A single infected server led us into a much larger story. While investigating suspicious repositories on exposed **** Git servers, we uncovered signs of active exploitation: commands hidden inside repository configurations, payloads fetching remote shells, and infrastructure linked to a custom-packed Supershell C2. What at first looked like an opportunistic abuse of a known bug turned out to be something more: an unpatched zero-day vulnerability, already being leveraged in the wild.While an older RCE was known, the affected systems matched a yet-unknown exploit chain. This mismatch was the first clue that attackers were using a new vulnerability, rather than simply reusing a patched one.In this talk, we will retrace that investigation. Starting from live exploitation artifacts, we will show how we correlated repositories across multiple tenants, fingerprinted vulnerable internet-facing servers, and pieced together the attack chain. Our scans revealed over 700 compromised **** instances worldwide, with dozens already updated yet still showing signs of compromise. The evidence demonstrated that attackers had a working exploit before disclosure.We will close with lessons learned for defenders. These include how to detect malicious repository abuse in developer platforms, techniques for hunting zero-days from threat intelligence leads, and what this case study means for the broader risk landscape of self-hosted developer tools.