Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1822+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike
NEWS

KnowledgeDeliver LMS Flaw Exploited to Deploy Godzilla and Cobalt Strike

A now-patched high-severity zero-day vulnerability in Digital Knowledge's KnowledgeDeliver LMS, a popular learning management system in Japan, was actively.

Dylan H.

News Desk

May 26, 2026
3 min read

A high-severity zero-day vulnerability in KnowledgeDeliver, a learning management system (LMS) developed by Digital Knowledge and widely used across Japanese educational institutions and corporations, has been actively exploited in the wild to install the Godzilla web shell and deploy Cobalt Strike Beacon implants.

The vulnerability, now patched, allowed attackers to achieve unauthenticated remote code execution (RCE) on affected servers. Researchers from The Hacker News reported the flaw had been exploited prior to the availability of a patch, making it a zero-day at the time of the observed attacks.

Technical Overview

KnowledgeDeliver is a commercial LMS platform with a significant install base in Japan, used for corporate training programs, higher education, and government-affiliated learning initiatives. Its relatively high-value target profile — often containing employee or student PII and authentication credentials — makes it attractive for threat actors looking to establish persistent footholds in organizational networks.

The exploited vulnerability allowed unauthenticated attackers to inject malicious code into the application server. Upon successful exploitation, the attackers deployed:

Godzilla Web Shell — A feature-rich, open-source web shell written in Java, commonly used by Chinese-nexus threat actors. Godzilla supports encrypted communications, file management, command execution, and database access, making it a powerful post-exploitation tool once installed on a server.

Cobalt Strike Beacon — A commercial penetration testing framework widely misused by threat actors. Once deployed, Cobalt Strike enables attackers to perform lateral movement, credential harvesting, and establish persistent command-and-control (C2) channels within compromised environments.

The combination of Godzilla for initial persistence and Cobalt Strike for deeper network penetration is a well-documented pattern among advanced persistent threat (APT) groups with links to state-sponsored operations.

Attribution and Context

Researchers noted the tools and techniques used in these attacks align with tactics, techniques, and procedures (TTPs) associated with China-linked threat actors, though no definitive attribution has been publicly confirmed. The use of Godzilla in particular is frequently observed in intrusion sets attributed to Chinese APT clusters.

The targeting of Japanese organizations and LMS platforms follows a broader trend of state-aligned actors focusing on educational and corporate training infrastructure as pivot points into more sensitive internal systems.

Patch Status

Digital Knowledge has released a patch for the vulnerability. Organizations running KnowledgeDeliver are urged to apply the update immediately. The CVE identifier for this vulnerability has not been publicly disclosed in current reporting but is expected to be published alongside the vendor's security advisory.

Indicators of Compromise

Organizations should inspect their KnowledgeDeliver servers for:

  • Unexpected .jsp or .jspx files in web-accessible directories
  • Unusual outbound network connections on non-standard ports
  • Godzilla web shell artifacts: encrypted POST requests to uncommon URI paths
  • Cobalt Strike beacon patterns: HTTP/S callbacks at regular intervals to external IPs
  • Evidence of credential dumping or lateral movement from the LMS host

Recommendations

  1. Apply the patch immediately — Update to the latest version of KnowledgeDeliver as soon as possible
  2. Audit web-accessible directories for unauthorized files or recently modified application code
  3. Review server access logs for unusual requests predating the patch deployment
  4. Isolate the LMS server from sensitive internal systems until remediation is confirmed
  5. Rotate credentials stored in or accessible via the LMS platform, including integration service accounts
  6. Deploy endpoint detection on the LMS host to identify Cobalt Strike beacon activity

Source: The Hacker News

Related Reading

  • Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell
  • KnowledgeDeliver Flaw Exploited as Zero-Day to Install Web
  • Android March 2026 Security Update Patches 129
#Zero-Day#Vulnerability#LMS#Cobalt Strike#Web Shell#Japan

Related Articles

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell

A hardcoded machineKey value in KnowledgeDeliver's configuration enabled ViewState deserialization attacks leading to remote code execution and web shell.

3 min read

KnowledgeDeliver Flaw Exploited as Zero-Day to Install Web

Attackers exploited a critical zero-day vulnerability in KnowledgeDeliver LMS servers to deploy the Godzilla web shell, giving persistent backdoor access to.

3 min read

Microsoft Reins in RoguePlanet Zero-Day After Public PoC Release

Researcher 'Nightmare-Eclipse' published a proof-of-concept exploit for a Windows Defender vulnerability in early June after dropping several other Microsoft zero-days — Microsoft has since contained the RoguePlanet threat with a security update.

4 min read
Back to all News