GoKawiilHackers have been exploiting a critical vulnerability (CVE-2026-22679) in the Weaver E-cology office automation since mid-March to run discovery commands.
The attacks started five days after the software vendor released a security update to address the issue, and two weeks before disclosing it publicly.
Researchers at threat intelligence company Vega documented the malicious activity and reported that the attacks lasted roughly a week, each with several distinct phases.
Weaver E-cology is an enterprise office automation (OA) and collaboration platform used for workflows, document management, HR, and internal business processes. The product is primarily used by Chinese organizations.
CVE-2026-22679 is a critical unauthenticated remote code execution flaw affecting E-cology 10.0 builds prior to March 12.
The flaw is caused by an exposed debug API endpoint that improperly allows user-supplied parameters to reach backend Remote Procedure Call (RPC) functionality without authentication or input validation.
This lets attackers pass crafted values that are ultimately executed as system commands on the server, effectively turning the endpoint into a remote command execution interface.
According to Vega, the attackers first checked for remote code execution (RCE) capabilities by triggering ping commands from the Java process to a Goby-linked callback, and then proceeded to multiple PowerShell-based payload downloads. However, all these were blocked by endpoint defenses.
Next, they attempted to deploy a target-aware MSI installer (fanwei0324.msi), but this failed to execute properly, and no follow-up activity was observed.
After those failed attempts, the attackers reverted to the RCE endpoint, using obfuscated and fileless PowerShell to repeatedly fetch remote scripts.
... continue reading