You are currently viewing Active Campaign Against Triofox: How Attackers Bypassed Setup and Gained SYSTEM Execution

Active Campaign Against Triofox: How Attackers Bypassed Setup and Gained SYSTEM Execution

  • Post author:
  • Reading time:5 mins read

Executive Summary

A cyber-espionage group, identified as UNC6485, is actively exploiting a critical vulnerability in Gladinet’s Triofox file-sharing platform. This campaign aims to gain initial network access, steal data, and establish long-term persistence. Attackers are bypassing authentication to create administrator accounts and deploy remote access tools. Organizations using Triofox are strongly advised to apply the latest security patches, audit administrative accounts, and monitor for suspicious activity.

Background on UNC6485

This campaign is part of a broader trend of attacks targeting file-sharing and remote access solutions. The threat actor UNC6485 has been exploiting CVE-2025-12480 as a zero-day since at least August 24, 2025. Their primary goal is to establish a persistent foothold in target networks for data exfiltration and other malicious activities.

UNC6485 demonstrates a deep understanding of the Triofox platform. They exploit the vulnerability to create their own administrative accounts and then use the platform’s built-in features to execute malicious code. This approach allows them to blend in with legitimate administrative activity, making their actions difficult to detect. The use of legitimate remote access tools like Zoho Assist and AnyDesk for post-exploitation further highlights their strategy of using legitimate tools to evade security controls.

Vulnerability Details

  • CVE-ID: CVE-2025-12480
  • CVSS Score: 9.1
  • EPSS Score: 0.03%
  • Vulnerability Type: Improper Access Control
  • Affected Software: Gladinet Triofox versions prior to 16.7.10368.56560
  • Patched in: Triofox version 16.7.10368.56560 and later
  • Root Cause: The vulnerability allows unauthenticated attackers to access the initial setup pages of the Triofox platform, even after the setup process has been completed.

Infection Method

The attack follows a clear sequence of events:

  1. Initial Access: The attacker identifies a vulnerable, unpatched Triofox server.
  2. Exploitation: A specially crafted HTTP request with the “Host” header set to “localhost” is sent to the target server. This bypasses access controls and grants access to the configuration page.
  3. Payload Delivery: From the configuration page, the attacker re-runs the initial setup process to create a new native administrative account, often named “Cluster Admin.” This new account is then used to upload malicious files. The attackers then leverage the built-in antivirus feature, configuring it to execute their malicious script with SYSTEM-level privileges.
  4. Command and Control: The executed payload often involves the installation of legitimate remote access tools like Zoho Assist and AnyDesk. These tools are used to establish a command and control channel for further actions.

Threat Actor Capabilities

The primary goal of the initial intrusion is to establish a persistent and covert channel into the compromised network. The observed capabilities include:

  • Remote Access and Control: Using tools like Zoho Assist, attackers can execute commands, enumerate active SMB sessions, and gather information on local and domain users.
  • Privilege Escalation: Attackers have been observed attempting to change passwords for existing accounts and add them to local and domain administrator groups.
  • Data Exfiltration and Further Intrusion: By establishing a foothold, the attackers are positioned to exfiltrate sensitive data and move laterally within the network. To evade detection, they have been seen using tools like Plink and PuTTY to create encrypted tunnels to their command-and-control servers.

Techniques Used

TacticTechnique IDTechnique Name
Initial AccessT1190Exploit Public-Facing Application
ExecutionT1059.001Command and Scripting Interpreter: PowerShell
PersistenceT1136.001Create Account: Local Account
Privilege EscalationT1068Exploitation for Privilege Escalation
Defense EvasionT1070.004Indicator Removal on Host: File Deletion
DiscoveryT1087.001Account Discovery: Local Account
Command and ControlT1090.002Proxy: External Proxy

Visual Attack Flow

[Vulnerable Triofox Server Identified] -> [CVE-2025-12480 Exploited via HTTP Host Header Attack] -> [Unauthorized Access to Configuration Page] -> [New “Cluster Admin” Account Created] -> [Malicious Script Uploaded via Antivirus Feature] -> [Script Executed with SYSTEM Privileges] -> [Remote Access Tools (Zoho Assist, AnyDesk) Installed] -> [C2 Channel Established for Post-Exploitation Activities]

Indicators of Compromise (IoC)

  • File Names: Malicious batch scripts or executables uploaded via the antivirus feature. Specific filenames have not been publicly disclosed.
  • Associated Malware: Legitimate remote access tools such as Zoho Assist and AnyDesk are used for post-exploitation. The use of Plink and PuTTY for creating encrypted tunnels has also been noted.

Threat Actor Attribution

The campaign exploiting CVE-2025-12480 has been attributed to the threat cluster UNC6485, tracked by Mandiant. Currently, UNC6485 is the primary group known to be actively exploiting this vulnerability. Their tactics, techniques, and procedures (TTPs) indicate a focused and skilled adversary capable of discovering and exploiting zero-day vulnerabilities.

Mitigation Steps

  • Patch Management: Immediately upgrade all Gladinet Triofox instances to version 16.7.10368.56560 or the latest available release to patch CVE-2025-12480.
  • Audit Administrative Accounts: Regularly review and audit all administrative accounts on Triofox servers. Investigate and remove any unauthorized or suspicious accounts.
  • Antivirus Configuration Review: Verify that the antivirus engine within Triofox is not configured to execute any unauthorized scripts or binaries.
  • Network Monitoring: Monitor for anomalous outbound traffic, especially connections to known command-and-control servers or the use of unexpected remote access tools.
  • Endpoint Security: Deploy and maintain up-to-date Endpoint Detection and Response (EDR) solutions to detect and respond to suspicious activities on servers running Triofox.
  • Access Control: Implement strict access controls and firewall rules to limit exposure of management interfaces to the internet.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here