From Live Exploitation to Zero-Day Discovery: Investigating Attacks on Gogs (Feb. 12th)
Thursday, February 12th, 2026: 2:00 PM to 3:00 PM ET
In this talk, we will retrace that investigation. Starting from live exploitation artifacts, we will show how we correlated repositories across multiple tenants, fingerprinted vulnerable internet-facing servers, and pieced together the attack chain.
A single infected server led us into a much larger story. While investigating suspicious repositories on exposed Gogs Git servers, we uncovered signs of active exploitation: commands hidden inside repository configurations, payloads fetching remote shells, and infrastructure linked to a custom-packed Supershell C2. What at first looked like an opportunistic abuse of a known bug turned out to be something more: an unpatched zero-day vulnerability, already being leveraged in the wild.
While an older RCE was known, the affected systems matched a yet-unknown exploit chain. This mismatch was the first clue that attackers were using a new vulnerability, rather than simply reusing a patched one.
Hosted by Blackhat