On July 19th, Imperva Threat Research team detected a sudden surge in HTTP probes targeting Rejetto HTTP File Server (HFS) 2.x instances. What looked like routine internet noise quickly revealed itself as a coordinated attempt to exploit a critical unauthenticated server-side template injection vulnerability (CVE-2024-23692, CVSS 9.8) that can enable arbitrary command execution. The attackers’ goal: deploy ransomware and trojan malware at scale, turning forgotten file-sharing servers into launchpads for compromise.

The Attack Unfolds

• Attackers scanned the internet for exposed HFS 2.x servers (this vulnerability works on HFS 2.3m and earlier) leveraging an unauthenticated template injection in the search parameter to execute arbitrary commands.
• A single crafted HTTP request was all it takes to download and execute malicious payloads, with no authentication required. We observed 3 unique samples classified as dropper or ransomware trojans.
• Over 662 exploit attempts were observed across 55 customer domains in our telemetry, spanning several days of sustained activity, each one a potential ransomware incident.

What is Regetto HFS?

Rejetto HTTP File Server (HFS) is a lightweight, Windows-based web server designed to let users quickly share files over HTTP without deploying a full-featured web stack. Instead of traditional directories and permissions, HFS exposes folders or individual files through a simple GUI and a built-in templating system that renders HTML pages and can run small macros.

The Exploit

The campaign attempted to leverage CVE-2024-23692, a server-side template injection (SSTI) vulnerability in Rejetto HFS allowing attackers to deploy malicious files using payloads like the following:

The vulnerability lies within the “search” query parameter, which is reflected by Rejetto’s server into an HFS template. Using a specially crafted search value, the threat actors can break out of the template context and create a new “exec” macro block: “{.exec|{.?cmd.},” which contains a reference to the “cmd” query parameter containing the malicious payload. Because HFS evaluates user supplied template fragments after URL decoding, this single request yields remote code execution without authentication on any unpatched HFS 2.x server.

Sample Analysis

During the campaign, the threat actor attempted to drop a range of different trojan malware, all communicating with C2s located in Hong Kong. The detected samples are summarized below:

1. Sample Category: Farfli Trojan – Malicious downloader
   1. Malicious URL: hxxp://151[.]242.152.91/setup.exe
   2. Total number of attacks: 271
   3. Hash: d3b595483589b90f37422d8cc6d06b72d2bb1976dfddc83d44722c6ba0ca6d79
   4. C2: 45[.]204.217.177 (HK) 
2. Sample Category: Zenpak Trojan
   1. Malicious URL: hxxp://151[.]242.152.91/QBuumdHTX.exe
   2. Total number of attacks: 146
   3. Hash: b84d55d8b37a1296a62af298b71f66fddb3ec6042161c5b2c9acd94f2c334c8c
   4. C2: 43[.]250.174.250 (HK)
3. Sample Category: jqvtd Ransomware – blocker
   1. Malicious URL: hxxp://151[.]242.152.91/11.exe
   2. Total number of attacks: 55
   3. Hash: e82431c866c8c1d5cf26e627599cb87ed8929b580ccace973e7b32aa2bc13533
   4. C2: 43[.]225.58.92 (www[.]sgke.cc HK)

Campaign Attribution

Based on our analysis, all observed samples were hosted at the same URL, with command-and-control (C2) communications consistently originating from and directed to Hong Kong. Combined with the sustained attack activity over several days, this strongly suggests the involvement of a single, coordinated threat actor.

Geographical distribution

Industry distribution

Mitigation Guidance

Conclusion

This campaign underlines a familiar pattern: legacy shareware + internet exposure = low-effort ransomware and trojan initial access. Attackers do not need zero days when widely deployed software remains unpatched for years. If you must host ad hoc filesharing services, keep them behind VPNs or SSO portals.

Imperva Threat Research will maintain its vigilance in monitoring the activities of this and other threat actors and ensuring security for our customers.

Indicators of Compromise

URLs: 

hxxp://151[.]242.152.91/11.exe

hxxp://151[.]242.152.91/QBuumdHTX.exe

hxxp://151[.]242.152.91/qbuumdhtx.exe

hxxp://151[.]242.152.91/setup.exe

hxxp://154[.]219.123.25/HttpFileServer.exe

hxxp://154[.]219.123.25/hxxpfileserver.exe

hxxp://45[.]204.221.103/setup1.exe

hxxp://45[.]204.221.103:7541/setup1.exe

Source IPs: 

154[.]219.123.25

45[.]204.217.177

C2s 

45[.]204.217.177

43[.]250.174.250

www[.]sgke.cc (43[.]225.58.92)

Hashes 

d3b595483589b90f37422d8cc6d06b72d2bb1976dfddc83d44722c6ba0ca6d79

b84d55d8b37a1296a62af298b71f66fddb3ec6042161c5b2c9acd94f2c334c8c

e82431c866c8c1d5cf26e627599cb87ed8929b580ccace973e7b32aa2bc13533