Black Hat Europe 2025 | From Live Exploitation to Zero-Day Discovery: Investigating Attacks on Gogs

A single infected server led us into a much larger story. While investigating suspicious repositories on exposed **** Git servers, we uncovered signs of active exploitation: commands hidden inside repository configurations, payloads fetching remote shells, and infrastructure linked to a custom-packed Supershell C2. What at first looked like an opportunistic abuse of a known bug turned out to be something more: an unpatched zero-day vulnerability, already being leveraged in the wild. While an older RCE was known, the affected systems matched a yet-unknown exploit chain. This mismatch was the first clue that attackers were using a new vulnerability, rather than simply reusing a patched one. In this talk, we will retrace that investigation. Starting from live exploitation artifacts, we will show how we correlated repositories across multiple tenants, fingerprinted vulnerable internet-facing servers, and pieced together the attack chain. Our scans revealed over 700 compromised **** instances worldwide, with dozens already updated yet still showing signs of compromise. The evidence demonstrated that attackers had a working exploit before disclosure. We will close with lessons learned for defenders. These include how to detect malicious repository abuse in developer platforms, techniques for hunting zero-days from threat intelligence leads, and what this case study means for the broader risk landscape of self-hosted developer tools. By: Gili Tikochinski | Malware Researcher, Wiz Yaara Shriki | Threat Researcher, Wiz https://blackhat.com/eu-25/briefings/...