Inside WEEPSTEEL: The Sophisticated Reconnaissance Malware at the Heart of the Sitecore Zero-Day Attacks

Special Report | Monday, September 8, 2025

A deep dive into the custom-built toolkit reveals an adversary focused on long-term intelligence gathering and deep network infiltration

ARLINGTON, Va. — As the cybersecurity community continues to grapple with the fallout from the critical Sitecore zero-day vulnerability (CVE-2025-53690), a clearer picture is emerging of the sophisticated malware at the center of the attacks. Dubbed WEEPSTEEL by the Mandiant researchers who discovered it, this custom-built toolkit is far more than a simple backdoor; it’s a purpose-built reconnaissance platform designed for methodical, long-term intelligence gathering within high-value enterprise networks.

An exclusive technical analysis provided to The Cyber Reporter by Mandiant reveals a level of sophistication and operational discipline that suggests the involvement of a well-resourced and patient adversary. WEEPSTEEL isn’t designed for quick smash-and-grab operations; it’s designed to be the first step in a long-term campaign of deep network infiltration.

“When we decrypted the initial ViewState payload, we weren’t expecting to find something this… elegant,” commented one of the Mandiant researchers involved in the analysis, who spoke on condition of anonymity due to the ongoing investigation. “This isn’t your typical commodity malware. Every function in WEEPSTEEL is geared towards one thing: understanding the compromised environment as quietly and efficiently as possible.”

WEEPSTEEL’s Core Functionality: A Digital Spy’s Toolkit

At its core, WEEPSTEEL is a .NET assembly, delivered as Information.dll, that functions as a comprehensive internal reconnaissance tool. Once executed on a compromised Sitecore server, its primary mission is to gather a detailed snapshot of the host and its surrounding network environment. Mandiant’s analysis shows the malware is programmed to systematically collect and exfiltrate the following information.

• Operating System Information: Detailed data about the OS version, patch level, and system configuration.

• Disk and Directory Information: A full inventory of disk drives, partitions, and the current web application directory structure.

• Network Adapter Information: A comprehensive list of all network interfaces, their IP configurations, and physical MAC addresses.

• Running Processes: A complete list of all active processes on the system.

This initial data grab provides the attackers with a detailed blueprint of the compromised server, allowing them to make informed decisions about their next steps.

“The level of detail they’re collecting from the outset is telling,” the Mandiant researcher explained. “They’re not just looking for a way in; they’re looking to understand the entire landscape. This is the kind of reconnaissance you’d expect from a nation-state actor or a top-tier criminal organization planning a complex, multi-stage attack.”

Exfiltration with Stealth: Hiding in Plain Sight

One of WEEPSTEEL’s most sophisticated features is its exfiltration mechanism. Rather than opening a new network connection that might be detected by security monitoring tools, the malware cleverly disguises its outbound communication as legitimate web traffic.

WEEPSTEEL sends its collected data back to the attackers through a hidden HTML field masquerading as a standard __VIEWSTATE parameter. The data is AES-encrypted, Base64-encoded, and embedded within what appears to be a normal HTTP POST request to the /sitecore/blocked.aspx endpoint. To a casual observer or an automated security tool, this traffic looks almost identical to legitimate Sitecore activity.

“This is a classic example of hiding in plain sight,” commented Dr. Sarah Chen, a cybersecurity professor at MIT who specializes in malware analysis. “By using the application’s own communication channels and data formats, the attackers significantly reduce their risk of detection. It’s a very patient and disciplined approach.”

Beyond WEEPSTEEL: The Attacker’s Post-Exploitation Toolkit

WEEPSTEEL is just the first stage of a much broader attack chain. Once the initial reconnaissance is complete, the attackers deploy a carefully selected suite of additional tools, many of which are legitimate security and administration utilities repurposed for malicious activities. This approach, known as “living off the land,” further complicates detection efforts.

Mandiant’s investigation identified the following tools being staged in a public directory on the compromised server:

• EARTHWORM: An open-source network tunneling tool used to create a reverse SOCKS proxy, providing the attackers with a persistent and flexible channel into the compromised network.

• DWAGENT: A legitimate open-source remote access tool, deployed to provide stable, long-term remote control over the compromised system.

• SHARPHOUND: The data collection component of the popular Active Directory security analysis platform, BloodHound. The attackers used SharpHound to perform extensive reconnaissance of the Active Directory environment, mapping trust relationships, identifying privileged accounts, and planning lateral movement pathways.

“The choice of tools here is very deliberate,” the Mandiant researcher noted. “They’re using a mix of open-source and legitimate tools that are difficult to flag as inherently malicious. It shows they’re not just technically skilled—they’re also well-versed in modern operational security practices.”

Escalating Privileges: From Web Server to Domain Control

With their toolkit in place, the attackers methodically escalated their privileges within the network. They created new local administrator accounts (with names like asp$ and sawadmin) and used these to dump the SAM and SYSTEM registry hives, a technique used to compromise cached administrator credentials.

Once they obtained legitimate administrator credentials, they moved to a new RDP session and executed SharpHound to perform a full Active Directory reconnaissance sweep. The output of this scan, a comprehensive map of the entire domain, was then archived using 7-Zip, preparing it for exfiltration.

Finally, in a clear sign of their confidence and long-term intentions, the attackers cleaned up their initial tracks by removing the temporary asp$ and sawadmin accounts, relying instead on the compromised legitimate administrator accounts for future access.

What This Means for Defenders

The sophistication of WEEPSTEEL and the associated attack chain presents a significant challenge for security teams. Simply patching the Sitecore vulnerability is not enough; organizations must also assume that they may have been compromised and actively hunt for signs of post-exploitation activity.

Security experts recommend several key actions:

1. Hunt for the Tools: Security teams should be actively searching their networks for the presence of WEEPSTEEL, EARTHWORM, DWAGENT, and SHARPHOUND, as well as the specific command-line arguments and file paths identified in Mandiant’s research.

2. Review Administrator Accounts: A thorough audit of all administrator accounts, both local and domain, is essential. Any suspicious or unauthorized accounts should be immediately disabled and investigated.

3. Monitor Network Traffic: Security teams should look for unusual network tunneling activity or outbound connections to unfamiliar IP addresses, particularly from web servers.

4. Analyze Log Data: A detailed review of web server logs, event logs, and Active Directory logs may reveal signs of compromise, such as repeated POST requests to /sitecore/blocked.aspx, unexpected account creations, or unusual RDP sessions.

The Human Element: A Disciplined Adversary

Beyond the technical details, the WEEPSTEEL campaign reveals a great deal about the human adversary behind the attack. The methodical progression, the careful selection of tools, and the disciplined approach to operational security all point to a professional and well-resourced group.

“This isn’t the work of amateurs,” concluded the Mandiant researcher. “This is a team that understands enterprise networks, modern security tools, and how to operate below the radar. They’re patient, they’re disciplined, and they’re very, very good at what they do.”

As organizations race to patch their Sitecore deployments, the true challenge will be in detecting and eradicating an adversary who has already established a deep and persistent foothold within their networks. The WEEPSTEEL campaign is a sobering reminder that in modern cybersecurity, the initial breach is often just the beginning of a much longer and more dangerous battle.