Multi-Stage Intrusion Using Vulnerable VPN Appliance and Custom Backdoor

A coordinated intrusion exploited a vulnerable internet-facing VPN appliance (suspicious requests to /api/v2/system/status and /remote/hostcheck_validate) to gain initial access on 6 April 2026, with an admin session from 146.70.44.201. Attackers harvested credentials, moved laterally to Windows servers, and deployed a custom backdoor (auditservice.exe) that creates a mutex (Global\AuditTelemetrySingleton), persists as the "Audit Log Monitor" service, and connects to the C2 domain node-status-check.com (SHA256: 0f0c22d8f2b1d1fa93fb93063f8fd0d86549ee6bb73f42f25f4d7df72c0ea145); the environment remains at risk of further credential theft and disruption.