Bleed You campaign exploits Windows IKE RCE to deploy ransomware

Bleed You campaign exploits Windows IKE RCE to deploy ransomware

Suspected Chinese hackers are trying to take advantage of a known remote code execution vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions to deploy malware or carry out ransomware attacks.

The vulnerability in question (CVE-2022-34721) affects Windows OS, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 7, Windows 8.1, Windows 10, and Windows 11.

The new campaign, dubbed “Bleed You” by Cyfirma researchers, is aimed at organizations in retail, industrial conglomerates, government, financial services, IT services, and e-commerce industries in the US, the UK, Australia, Canada, France, Germany, Turkey, Japan, India, UAE, and Israel.

Since September 2022, the threat actors have been targeting weak or vulnerable Windows OS, Windows Servers, Windows protocols, and services.

According to Cyfirma, the hackers’ goal is to steal sensitive information from victims for financial gains, gain elevated access, and cause operational disruption. The researchers also discovered possible connection between the threat actor behind the Bleed You campaign and Russian cybercriminals. It was also found that the exploit link is being shared on the underground forums as well.

“Attackers are actively exploiting vulnerable Windows Server machines via the IKE and AuthIP IPsec Keying Modules by exporting this bug,” the company said.

Given that Cyfirma discovered over 1,000 systems exposed to the issue, users are strongly advised to apply patches and fixes as soon as possible to reduce the risk of exploitation of the flaw.


Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025