hunt-deserialization

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 1.00). These URLs point to attacker-controlled callback endpoints (COLLAB_HOST), exploit tool repositories and a direct downloadable executable JAR (ysoserial-all.jar) and an exploit kit (JNDI-Exploit-Kit) and are used with instructions to craft and execute deserialization/JNDI payloads — strong indicators of malicious activity and RCE malware distribution.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This document is an explicit offensive exploitation guide (ysoserial, phpggc, pickle, JNDI/Log4Shell, ViewState) that provides ready-made RCE/backdoor techniques, OOB exfiltration (COLLAB_HOST callbacks), and automated exploit tooling—clear malicious intent and high-risk backdoor/command-execution patterns.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill explicitly downloads and executes remote tooling at runtime (e.g., wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar which is run via java -jar, and git clone https://github.com/ambionics/phpggc and git clone https://github.com/pimps/JNDI-Exploit-Kit which are cloned and used to generate payloads), so those external URLs fetch code that is executed and are required for the skill’s operation.