```html ``` A GitHub Account Slept for Nineteen Months, Then Woke Up Today to Drop a One-Click Mass-Exploit Kit for a 9.6 Load-Balancer Bug. We Caught It in Hours.
top of page

A GitHub Account Slept for Nineteen Months, Then Woke Up Today to Drop a One-Click Mass-Exploit Kit for a 9.6 Load-Balancer Bug. We Caught It in Hours.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 1 minute ago
  • 5 min read

The account was created on November 25, 2024, and then it did nothing for nineteen months. No repositories, no followers, no activity — one of the millions of dormant GitHub shells that sit empty forever. Today, at 11:49 UTC, it woke up. Eighteen minutes of commits later it held a single repository: a fully weaponized, one-click mass-exploitation kit for CVE-2026-8037, a pre-authentication remote-code-execution flaw in Progress Kemp LoadMaster that is already being exploited in the wild. Our hunt flagged it the same day it was pushed.


This is the whole reason we run a discovery sweep instead of a feed of other people's advisories. The disclosure of CVE-2026-8037 is old news by internet time — researchers at watchTowr Labs dissected the bug, exploitation attempts started around June 29, the day the first proof-of-concept appeared, and we wrote up the vulnerability itself on July 1. What is new, and what actually changes a defender's night, is the moment a working demonstration turns into a push-button tool that anyone can point at the whole internet. That moment was today, and it is worth looking at closely.



The bug: your load balancer hands out shells


CVE-2026-8037 carries a CVSS of 9.6 from Progress — the Zero Day Initiative, which took the original report, scores it 9.8 — and the number is earned either way. It is an unauthenticated OS command injection in Progress Kemp LoadMaster, reachable over the network through the API's /accessv2 endpoint when that API is enabled. No login required. The root cause, per watchTowr's analysis, is a function called escape_quotes() that fails to null-terminate a sanitized string, leading to an out-of-bounds read into adjacent heap memory — which the exploit then steers into command execution.


LoadMaster is not a dusty internal box. It is an application delivery controller — a load balancer that sits at the edge of enterprise networks, terminating TLS, fronting authentication, and routing traffic to everything behind it. A compromised ADC is not one server; it is the doorway in front of all of them, with a view of the credentials and sessions passing through. This is the same class of catastrophe as the Citrix and Fortinet edge bugs we have covered all year: the appliance you bought to protect the perimeter becomes the softest part of it. And LoadMaster has stood in this exact spot before — an unauthenticated command-injection flaw, CVE-2024-1212, landed in CISA's exploited-vulnerabilities catalog back in 2024. Same product, same bug class, twice in eighteen months.



The kit: recon, mass RCE, and a shell in one keystroke


The repository is three files, and together they are a complete offensive workflow rather than a research demonstration.


The Python tool runs in an interactive menu or from the command line. Its probe mode comes in two depths: a fast eight-item fingerprint, and a deep sweep of thirty-plus commands that pulls exactly what an intruder wants first — the shadow file, the sudoers configuration, SSH keys, crontab entries, running containers, and docker state. That is not vulnerability confirmation. That is credential theft, persistence reconnaissance, and lateral-movement preparation, automated. It runs single-target or batched across a file of hundreds of hosts, twenty threads at a time.


Then there is the part the author labels "one-click reverse shell." The operator stands up a small web server and a listener on their own machine — the "requires deploying a service on the server" line from the repository's description — and the tool sprays a payload that pulls a script and pipes it straight into a shell, calling home to the attacker's port. The author even golfs the payload down to fit a length limit, noting that a download-and-execute one-liner fits in thirty-one characters.


The injection itself matches the CVE's root cause precisely: the tool sends a crafted API user value that trips the escape_quotes() defect, then heap-sprays the same command sixty-one times to raise the odds it lands, and closes the injection context so the rest of the request is ignored. This is not a copied placeholder. It is a working exploit whose author understood the memory bug underneath it.


And the third file is the one that turns a tool into a campaign: a nuclei template. Nuclei is the scanner defenders and attackers both use to check thousands of hosts against a signature in minutes. Ship a nuclei template alongside a batch-getshell tool and you have handed every reader a way to find vulnerable LoadMasters at internet scale and then pop all of them from a target list. The intended workflow is written into the filenames: scan, save the hits to a "vulnerable targets" file, spray.



The author: a lone light, not a network


We followed the followers, and the graph ended immediately. The account — handle Caster-chen, display name 尘, the Chinese character for "dust" — has zero followers, zero accounts followed, and this one repository. No crew, no fork farm, no RAT-developer social network of the kind we usually map. The bio self-identifies as a web student at Nanyang Institute of Technology in Henan, China, and the repository's documentation is written in first-person Chinese operator shorthand — getshell, one-click, injection principle — the notes of the builder, not a user manual.


Read honestly, and held to the ninety-five percent we always hold: this could be a security student showing off exploit-development skill, which the Chinese university scene produces in volume and posts openly. But two details argue against pure academics. The mass-targeting plumbing — the nuclei scanner, the batch threads, the "vulnerable targets" workflow — is built to operate, not to demonstrate. And a nineteen-month-dormant account waking for exactly one weaponized drop, ten days after the bug went hot, is an operational shape, not a portfolio update. We are not naming intent we cannot prove. We are naming the shape, because the shape is what you defend against.



What to do tonight


If you run Progress Kemp LoadMaster, this is a patch-now item, not a patch-this-quarter one. Apply Progress's fix. If you cannot patch immediately, restrict or disable the LoadMaster API and make sure /accessv2 is not reachable from untrusted networks — the vulnerability is only exploitable when that API is exposed. Hunt your logs for anomalous /accessv2 requests, for API user fields carrying stacked quotes or repeated identical parameters (the heap spray), and for the appliance making outbound HTTP requests to fetch a script — a load balancer that suddenly runs wget has already lost. We have flagged the tool and the campaign infrastructure in our feed at high confidence, and reported the repository.


The bug was disclosed by others, and the credit for the mechanism is watchTowr's and the researchers who caught the in-the-wild activity — we say so plainly. What we did was catch the weaponization the hour it happened, take it apart, and tell you what the tool actually does before it finds you. A pipe would have handed you the CVE number last week. We are handing you the exploit's blueprint and its author's shadow, today.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page