Threat actors have exploited a critical zero-day vulnerability in KnowledgeDeliver — a learning management system (LMS) used widely across Japanese organizations — to install the Godzilla web shell on compromised servers. The exploitation occurred before a patch was available, giving attackers persistent backdoor access to affected systems.
The Godzilla Web Shell
Godzilla is a sophisticated, feature-rich web shell originally developed and publicly released by a Chinese security researcher in 2020. It has since become a preferred post-exploitation tool among threat actors targeting Asian organizations, particularly those linked to Chinese state-sponsored campaigns. Godzilla supports encrypted traffic, making it harder to detect via network inspection, and includes a plugin architecture for extending capabilities.
Once deployed on a KnowledgeDeliver server, Godzilla would give attackers:
- Interactive command execution on the host operating system
- File management — upload, download, browse, and modify server files
- Database interaction — direct access to the LMS database containing user credentials and PII
- Network pivoting — the compromised LMS server becomes a launch point for lateral movement into internal networks
- Persistence — the web shell survives server restarts and application updates unless specifically removed
Attack Surface and Target Profile
KnowledgeDeliver is developed by Digital Knowledge and deployed primarily within Japanese educational institutions, government training centers, and corporate e-learning environments. These deployments typically contain:
- Employee or student personally identifiable information
- Login credentials for LMS accounts
- Internal training materials that may include sensitive operational procedures
- Integration credentials for connected enterprise systems
The LMS attack surface is of particular interest to espionage-motivated threat actors, who can leverage educational and corporate training systems as entry points into broader organizational networks.
Zero-Day Exploitation Context
This exploitation follows a pattern observed across several recent campaigns targeting LMS and educational software platforms. Zero-day vulnerabilities in these systems are increasingly valuable because:
- Patch cycles are slow — educational software vendors often lack the rapid response infrastructure of enterprise security vendors
- Detection coverage is low — LMS servers are rarely included in endpoint detection and response (EDR) programs compared to traditional enterprise assets
- High-value access — successful compromise of an LMS server may yield credentials reused on enterprise systems, VPN gateways, or email platforms
Remediation and Detection
Organizations running KnowledgeDeliver should treat affected servers as potentially compromised and conduct a full incident response review:
Immediate steps:
- Apply the available patch from Digital Knowledge immediately
- Search web-accessible directories for recently modified or created
.jsp,.aspx, or.phpfiles not part of the original deployment - Review web server and application logs for unusual POST requests to unexpected file paths
- Audit outbound network connections from the LMS server for unexpected destinations
- Rotate all credentials stored in or accessible from the LMS database
Godzilla web shell indicators:
- Encrypted POST requests to files with unusual names in application directories
- Web server processes spawning unexpected child processes (cmd.exe, bash, sh)
- Large Base64-encoded request bodies to non-standard endpoints
- Unusual file system modifications in web-accessible directories
Source: BleepingComputer