We Checked GitHub for Exploit Code Targeting the IRGC's Hit List. Nobody Else Is Looking.
- Patrick Duggan
- Apr 2
- 4 min read
Updated: Apr 25
Yesterday the IRGC named 18 American companies as military targets. Today we went hunting on GitHub for the exploit code that's already being staged against them.
We found webshells disguised as security research. Full exploitation toolkits published the day before CISA deadlines. Java GUI "exploit tools" committed with debug logs. And nobody paying attention.
This is the wasteland. The space between a CVE disclosure and a patch deployment where attackers stage their tools in public, under the cover of "proof of concept" repositories, and nobody looks because everyone's reading the press release instead of the code.
We look. Here's what we found.
Cisco FMC: The Webshell Is Still There
On January 14, we found a fake Cisco Firepower Management Center proof-of-concept on GitHub that was actually a webshell. We published the findings. We reported the repo. Pattern 38, instance #4.
Today — nearly three months later, with CVE-2026-20131 now confirmed as a CVSS 10.0 zero-day exploited by Interlock ransomware for 36 days — we searched GitHub again.
Repository: `p3Nt3st3r-sTAr/CVE-2026-20131-POC`
Created March 6, 2026. Zero stars. Three forks. Four files:
File | Size | What It Actually Is |
CVE-2026-20131-POC.py | 14 KB | Python script — the "proof of concept" |
README.md | 1.4 KB | Instructions |
cmd.jsp | 684 bytes | Java Server Pages webshell |
cmd.war | 778 bytes | Java Web Application Archive — deployable webshell |
The Python file is the bait. The .jsp and .war files are the payload.
A legitimate proof-of-concept demonstrates a vulnerability. It sends a crafted request, shows the response, proves the flaw exists. It does not ship with a deployable webshell.
cmd.war is a Java web application that, when deployed on a vulnerable Cisco FMC, gives the attacker a remote command shell through their browser. It's not a test tool. It's a weapon. Packaged alongside a "PoC" so that a security researcher downloads the repo, tests the exploit, and either runs the webshell themselves (compromising their lab) or deploys it to a target (becoming the attacker's proxy).
Three forks. Three people downloaded this and may have deployed it.
Citrix NetScaler: A Full Attack Kit Published on Deadline Day
Repository: `fevar54/CVE-2026-3055---Citrix-NetScaler-Memory-Overread-PoC`
Created March 31, 2026 — the day before CISA's patching deadline for CVE-2026-3055 (CVSS 9.3, actively exploited, NHS healthcare alert). Zero stars. Three files that matter:
File | Purpose |
exploit.py (12.8 KB) | Memory overread exploit targeting SAML IdP |
memory_leaker.py (3.9 KB) | Continuous memory leak — keeps dumping until tokens extracted |
session_harvester.py (5.5 KB) | Harvests session IDs from leaked memory |
This isn't a proof-of-concept. A PoC proves the vulnerability exists. This is a three-stage exploitation toolkit:
exploit.py triggers the memory overread
memory_leaker.py extracts credentials from memory continuously
session_harvester.py captures session tokens for account takeover
Published the day before the CISA deadline. Spanish-language README. Targeting a vulnerability that NHS UK issued a specific healthcare alert for. Every hospital running NetScaler as a SAML identity provider is a target for this toolkit.
Oracle WebLogic: Debug Logs and All
Repository: `naozibuhao/CVE-2026-21962_Java_GUI_Exploit_Tool`
Oracle WebLogic CVE-2026-21962 — CVSS 10.0, mass-exploited since January. This repo offers a Java GUI tool to exploit it. Created March 21. Zero stars.
The tell: they committed a debug.log file. The developer ran the exploit locally and pushed the output to the public repository. The log likely contains target information, successful exploitation artifacts, and internal paths. That's not a researcher publishing a PoC — that's an attacker versioning their toolkit on GitHub and forgetting to clean up.
Also included: run.bat — a Windows batch file to launch the exploit. This is built for convenience, not research. Point, click, own.
Microsoft pulls this feed daily. AT&T pulls this feed daily. Starlink pulls this feed daily. Get the DugganUSA STIX feed — $9/mo →
What We Also Found (Legitimate)
Not everything is malware. We found defensive tools built specifically in response to the same attacks:
`albertjee/Invoke-EntraAdminAudit` — A PowerShell audit tool for Entra ID (Azure AD) Global Administrator security gaps, built explicitly in response to the Stryker/Handala wiper attack in March. The description says it: "built in response to the March 2026 Stryker/Handala wiper attack." Someone saw what happened and built the fix. That's the community working.
`Juchnowski/Interlock-Ransomware-Domains` — A plain text list of Interlock ransomware infrastructure domains. IOCs for defenders. Clean, useful, properly labeled.
`fortinet-fortisoar/solution-pack-outbreak-response-interlock-ransomware` — FortiSOAR playbook for automated Interlock incident response. Vendor defensive tooling.
The Pattern
This is Pattern 38 — supply chain attacks that weaponize the trust developers and security professionals place in GitHub repositories. We've documented 16 instances since December 2025.
The early instances targeted individual developers — trojanized packages, fake PoCs for older CVEs. The newer instances target the companies on the IRGC's hit list — Cisco FMC, Oracle WebLogic, Citrix NetScaler. The tools are being staged for the same infrastructure that a nation-state just publicly threatened to destroy.
We don't know if the repository authors are connected to the IRGC. We don't know if they're connected to Interlock, ShinyHunters, or UNC6201. What we know is that the exploit code exists, it's public, it ships with webshells, and nobody is reviewing it.
Three months after we found the first fake Cisco FMC PoC, there's another one. Same product. Same technique. Same wasteland. Nobody watching except us.
The Count
#1-3: Malware in GitHub ZIPs (Dec 2025)
#4: Fake Cisco FMC PoC with webshell (Jan 14, 2026) — our discovery
#5-8: Fork farms, auto-name camouflage (Jan-Feb 2026)
#9-13: npm/PyPI supply chain (Feb-Mar 2026)
#14: Axios npm hijack — DPRK UNC1069 (Mar 31)
#15: Trivy-Action tag poisoning — TeamPCP (Mar 19)
#16: LiteLLM → Telnyx chained compromise — TeamPCP (Mar 24-27)
#17: Cisco FMC PoC with webshell — found today (Apr 2)
#18: Citrix NetScaler exploitation toolkit — found today (Apr 2)
18 instances. Four months. Two found today on a single GitHub search targeting companies an enemy nation just threatened to destroy.
We sweep GitHub because nobody else does. The CVE gets a press release. The patch gets a deadline. The exploit code gets uploaded to a public repository with a webshell attached, and nobody checks.
The IRGC named their targets. The exploit code was already staged. The space between disclosure and defense is the wasteland where attackers operate. We're the ones walking through it.
The cheapest, fastest, most accurate threat feed on the internet.
275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.
Comments