Cyber attacks have recently evolved from fragmentary methods of exploiting a single vulnerability to step-by-step infiltration by linking different technologies and expanding their authority. Therefore, the third T9 Project has included not only a single vulnerability attack but also a complex attack that formed a chain of actual intrusion incidents through interconnection between attacks, as shown in Table 1 below, which can be used for more realistic attack research and detection experiments.
Table 1. T9 Project Attack List (2025)
T9 ATTACK
[Single Attack Scenarios]
First, scenarios 1 through 6 in Table 1 represent attack chains built around a single vulnerability. These scenarios unfold using a specific vulnerability or a single tool, making them relatively straightforward. However, they serve as fundamental building blocks that can be leveraged when constructing more complex attack chains.
(The first scenario) targets pfSense, an open-source firewall, by exploiting its vulnerability. As illustrated in [Figure 1], this attack is particularly dangerous because it focuses on network equipment, potentially compromising the security perimeter of an entire network. To illustrate the attack flow: The attacker begins by ① identifying a vulnerable server (the target), then ② injects a malicious script, leveraging the fact that the script is persistently stored. This triggers ③ the vulnerability, resulting in a Stored XSS attack where ④ any user who subsequently loads the page unwittingly executes the malicious script. Such an attack can lead to consequences like administrator session hijacking or the transmission of arbitrary requests, making it a classic exploitation of vulnerabilities in web-based management systems.
Figure 1. T1-25-01-S-N-CD (CVE-2024-46538) Attack Scenario
(The second scenario) involves an attack exploiting a remote code execution (RCE) vulnerability in Apache Struts2, a framework commonly targeted due to its widespread use in web servers. This scenario is particularly powerful because a simple input validation flaw allows attackers to upload a web shell or backdoor. Once established, this can lead to full server compromise, granting the attacker complete control over the system.
(The third scenario) exploits an authentication bypass vulnerability in Apache OFBiz. As an ERP-like system, OFBiz handles sensitive data such as orders, financial records, and customer information, making it a critical business platform. This vulnerability is particularly severe because it allows attackers to directly target an organization’s core operational systems. The attack method involves bypassing the authentication process entirely, granting the attacker access equivalent to administrative privileges. Due to its high impact, this flaw has been frequently exploited in real-world system compromise incidents.
(The fourth scenario) focuses on a password retrieval attack using the LaZagne tool, which is designed to harvest credentials stored locally on a compromised system. This technique is typically employed post-initial compromise as part of lateral movement, where the attacker seeks to gather account information to expand their foothold within the network. LaZagne excels at automatically extracting credentials from a wide range of sources—including web browsers, email clients, and the Windows Credential Manager—allowing attackers to rapidly acquire a large number of accounts and passwords in a short amount of time. This makes it a highly efficient and commonly used method in real-world intrusions.
(The fifth scenario), as depicted in [Figure 2], represents one of the most prevalent and threatening attack vectors today: an MS Office (DOCX) macro-based attack that exploits document files. To break down the attack flow: The attacker begins by ① crafting a document file tailored to a specific target or designed for broad distribution. This file is then ② distributed via email or messaging platforms, disguised as a legitimate business document to entice the victim into opening it. Upon opening the document ③, a request is sent to the attacker’s server to retrieve a remote DOTM template. The server responds by ④ delivering malicious VBA macro code. This manipulates the document to ⑤ enable and execute the macro. Once executed, the macro ⑥ initiates a request to download additional malware from the attacker’s server, which is then ⑦ retrieved and ⑧ executed on the victim’s system, completing the infection. This technique remains highly effective due to its reliance not only on technical exploitation but also on social engineering—leveraging the victim’s trust in seemingly benign office documents—resulting in consistently high success rates even in modern environments.
Figure 2. T5-25-01-S-E-CL (MS Office(.docx) External File Download) Attack Scenario
(The sixth scenario) incorporates the Play ransomware, one of the most frequently observed variants in 2024. Like other ransomware families, Play operators typically conduct extensive pre-attack reconnaissance to gather internal intelligence and elevate privileges. Once sufficiently entrenched, they selectively encrypt critical servers and high-value data while employing a double extortion strategy—exfiltrating sensitive information and threatening its public release. This approach not only disrupts the victim organization’s operations and causes service outages but also maximizes pressure to pay the ransom, making Play one of the most devastating ransomware threats observed in recent years.
[Multi-stage Attack Scenarios]
The scenarios composed of multi-stage attacks extend beyond isolated single-vulnerability exploits by constructing several complex attack chains that closely mirror real-world breach incidents. These multi-vector scenarios offer significantly higher realism and reproducibility compared to single-attack cases. As a result, data derived from complex attack scenarios plays a critical role as training and detection data for security models and systems.
(The first multi-stage scenario), as shown in [Figure 3], combines an MS Office document-based attack (involving remote template downloads) with the Play ransomware payload. This scenario is constructed based on real-world incidents that occur frequently. The initial phases ① through ⑤ operate identically to the fifth single-attack scenario described earlier. The key difference lies in the final payload: instead of generic malware, the attack downloads and executes ransomware, enabling secondary—and potentially tertiary—damage through data encryption and extortion. This scenario reflects commonly observed cyber threats and is one that enterprises and organizations frequently encounter. While straightforward in structure, it effectively leverages social engineering techniques that attackers exploit regularly, while maximizing impact through ransomware deployment to cause significant operational and financial harm.
Figure 3. First Multi-stage Attack Scenario (7th Attack)
(The second multi-stage scenario) combines a remote code execution (RCE) vulnerability in Apache Struts2 with credential harvesting using the LaZagne tool. The attacker begins by exploiting the Struts2 RCE flaw to gain initial access to the server. Once inside, they deploy LaZagne to systematically extract stored credentials from browsers, email clients, and the Windows Credential Manager. This enables the rapid acquisition of administrative accounts, facilitating further privilege escalation or lateral movement to other devices on the internal network.
(The final multi-stage scenario) combines an authentication bypass vulnerability in Apache OFBiz with a brute-force attack using su-bruteforce. Similar to previous compound attacks, the attacker first bypasses the authentication process to gain internal access. Once inside, they launch a brute-force attempt against internal administrator (or user) accounts to escalate privileges. This pattern—external compromise → internal credential theft → privilege escalation—is frequently observed in real-world incidents. As such, it represents a highly valuable scenario for training cyber threat detection systems or conducting anomaly behavior analysis.
For more detailed explanations of each attack scenario (known as T9 Attacks), please visit the T9 Project homepage at https://t9project.dev/ |
T9 Detect
[Designing Cyber Threat Detection Models]
The T9 Project is diligently preparing to release its AI-based network detection technology, the Detect model, in the first half of 2026. Detect is engineered to analyze comprehensive traffic data—including packets, flows, and sessions—to identify not only known threats but also undefined anomalous behaviors. By learning and adapting to evolving attack patterns, it aims to precisely detect threats that traditional security systems often miss.
Beyond detection capabilities, the T9 Project addresses a key limitation of AI-based systems—the reliability of decision-making processes—by incorporating Explainable AI (XAI) techniques. XAI will provide analysts with clear insights into the primary features, payload characteristics, and behavioral clues that influenced a detection result, enabling intuitive understanding of the underlying rationale. The upcoming Detect model, integrated with XAI, goes beyond simple threat alerts to deliver a detection experience that combines accuracy, interpretability, and trustworthiness. We look forward to your continued interest and support.
Figure 5. T9 Detect Conceptual Diagram and Schematic Representation
For more detailed explanations of T9 Detect, please visit the T9 Project homepage at https://t9project.dev/ |
References
[1] https://nvd.nist.gov/vuln/detail/cve-2024-46538
[2] SK Shieldus [Research & Technique] pfSense XSS Vulnerabilities (CVE-2024-46538)
[3] https://github.com/EQSTLab/CVE-2024-46538
[4] https://nvd.nist.gov/vuln/detail/cve-2023-50164
[5] https://www.vicarius.io/vsociety/posts/apache-struts-rce-cve-2023-50164-poc-exploit
[6] https://github.com/jakabakos/CVE-2023-50164-Apache-Struts-RCE
[7] https://www.trendmicro.com/en_us/research/23/l/decoding-cve-2023-50164–unveiling-the-apache-struts-file-upload.html
[8] https://nvd.nist.gov/vuln/detail/cve-2024-38856
[9] SecureLayer7 [CVE-2024-38856 – Apache Ofbiz RCE]
[10] Zscaler Blog [CVE-2024-38856: Pre-Auth RCE Vulnerability in Apache OFBiz]
[11] https://attack.mitre.org/software/S0349/
[12] https://github.com/AlessandroZ/LaZagne
[13] https://www.menlosecurity.com/blog/template-injection-attacks-part-3-following-the-bread-crumbs-to-north-korea
[14] https://www.virustotal.com/gui/file/07cbbcfae46c72a98b733b67649747b2ee05ec2b445f32ec4e8239f5617aa6c6
[15] https://attack.mitre.org/software/S1162/
[16] https://www.virustotal.com/gui/file/006ae41910887f0811a3ba2868ef9576bbd265216554850112319af878f06e55
KAIST 사이버보안연구센터 사이버위협분석팀 연구원으로 악성코드 분석 프로그램 및 연구를 수행하고 있다.
KAIST 사이버보안연구센터 사이버위협분석팀 연구원으로 악성코드 분석 연구를 수행하고 있다.