Exploit 2021: Baget

The "Baget exploit" of 2021 refers to the activities of a high-level Russian cybercriminal known by the online moniker (real name Maksim Mikhailov

), who was a key developer for the notorious TrickBot and Conti ransomware gangs.

His "story" in 2021 centers on the development of specialized malware and his role in major ransomware campaigns that eventually led to his indictment by the U.S. Department of Justice. 1. The Development of Diavol Ransomware (2021)

In mid-2021, a new ransomware strain called Diavol emerged. Security researchers discovered that Diavol shared significant portions of its code with the TrickBot malware, suggesting a direct link between the two. Internal leaks from the Conti group later confirmed that Baget was the primary developer behind Diavol.

The Exploit: Diavol was designed to be a "side project" for the Conti group, used alongside their primary tools to infect corporate networks and encrypt sensitive data.

Tactics: Baget and his associates even attempted to set up demos with legitimate security firms, like VMware Carbon Black, to test if their malware could bypass advanced security solutions. 2. High-Profile Attacks

Throughout 2021, Baget was involved in large-scale operations targeting critical infrastructure.

Scripps Health Attack: In May 2021, Baget's associates were linked to a massive Conti ransomware attack on Scripps Health, which severely disrupted medical services and led to the theft of patient data.

Global Impact: Baget’s work supported the TrickBot group, which infected millions of computers worldwide, including those used by schools and businesses. 3. Legal Consequences and Sanctions

While Baget operated with a sense of anonymity in 2021, international law enforcement was building a case against him.

Sanctions: By early 2023, the U.S. and UK officially sanctioned Baget (Maksim Mikhailov) and six other members of the TrickBot gang for their roles in targeting hospitals and medical facilities during the COVID-19 pandemic.

Indictment: A federal grand jury in the Northern District of Ohio indicted Mikhailov for conspiring to use TrickBot to steal money and confidential information from victims globally. Summary Table: Key Figures in the 2021 Operations Name/Moniker Key Association Baget (Maksim Mikhailov) Lead Developer Developed Diavol; TrickBot/Conti member Bentley (Maksim Galochkin) Senior Figure Managed Conti ransomware operations Globus (Valentin Karyagin) Developed ransomware and malware projects Mushroom (Ivan Vakhromeyev) Managed the TrickBot group's operations AI responses may include mistakes. Learn more

(often abbreviated or misspelled as "BaGet" in some contexts) that were disclosed in September 2021.

The primary vulnerabilities allowed attackers to gain full control of a web server through Unauthenticated Remote Code Execution (RCE) Key Vulnerabilities (September 2021) Unauthenticated RCE (Arbitrary File Upload)

This is the most significant exploit associated with the system. Attackers could bypass image upload filters to upload a malicious PHP file. Because the application did not adequately sanitize user-supplied input, an unauthenticated user could execute commands directly on the hosting web server. Arbitrary File Upload via

A specific proof-of-concept (PoC) was released demonstrating how a POST request to /expense_budget/classes/Users.php?f=save

could be used to upload arbitrary files in the context of the web server process. Exploit Availability

Automated exploit scripts (e.g., in Python) were made publicly available on platforms like Exploit-DB

, allowing even low-skilled attackers to compromise vulnerable installations by simply providing the target URL. Exploit-DB Potential Confusions

While the "Budget and Expense Tracker" is the most likely match for an "exploit," the name is often confused with: BaGet (NuGet Server) : A lightweight NuGet and symbol server

that also had significant updates and discussions around its maintenance status in September 2021. Baget-55-06

: A central computer used in the modernization of the MiG-31BM aircraft, though this is a hardware component and not typically associated with a 2021 "exploit" trend.

, a key developer within the Russia-based Trickbot cybercrime group. Mikhailov was one of several individuals sanctioned by the United States and the United Kingdom in early 2023 for their roles in high-profile ransomware and malware operations that peaked in 2021. "Baget" (Maksim Mikhailov) and the Trickbot Group

During 2021, Mikhailov was actively involved in development activity for the Trickbot Group, a sophisticated syndicate responsible for some of the most damaging cyberattacks of that year.

Role as Coder: Leaked internal chat logs (ContiLeaks) revealed that Baget was a core developer proficient in C/C++. He was credited with finishing the code for a specific backdoor in late 2020, which served as a precursor to attacks in 2021.

Diavol Ransomware: Mikhailov is identified as a developer of the Diavol ransomware, which first appeared in 2021 and was often deployed alongside other malware from the group.

Connection to Conti: By the end of 2021, the Conti ransomware gang had effectively absorbed the core developers and managers of Trickbot, including Baget. Conti was noted by the FBI as the ransomware variant used against more critical infrastructure victims in 2021 than any other. Key Context from 2021

Infrastructure Targeting: The group’s activities in 2021 targeted critical infrastructure, including hospitals, schools, and local governments.

Malware Deployment: They utilized a multi-functional suite of tools to capture bank credentials, harvest personal data, and deploy ransomware.

Sanctions and Legal Action: Although the sanctions were announced in 2023, the indictments and investigations focused heavily on the activities of Mikhailov and his associates during the 2021 period.

For more detailed information on the sanctions and the individuals involved, you can view the official release from the U.S. Department of the Treasury or the indictment details provided by the Department of Justice.

The Baget Exploit refers to a significant arbitrary file upload vulnerability (CVE-2021-41951) discovered in September 2021 within the Budget and Expense Tracker System 1.0. Exploit Overview Vulnerability Type: Arbitrary File Upload .

Root Cause: The application fails to adequately sanitize user-supplied input during the image upload process.

Impact: An attacker can upload malicious scripts (e.g., PHP web shells) to the server, leading to Remote Code Execution (RCE) and full control over the web server process. Full Feature Breakdown

The exploit allows an attacker to bypass file type restrictions to achieve the following: baget exploit 2021

Authentication Bypass: By sending a crafted POST request to /expense_budget/classes/Users.php?f=save, an attacker can modify user profiles without proper validation.

Malicious Payload Injection: Attackers can upload a PHP file (disguised as an image) containing a system command execution payload, such as .

Remote Code Execution (RCE): Once the file is uploaded to the server's web directory, the attacker can execute arbitrary system commands via the browser by accessing the uploaded file (e.g., uploads/malicious.php?cmd=whoami).

Data Theft & System Control: With RCE, attackers can steal sensitive data, launch ransomware, or use the compromised system to pivot into the internal network. Technical Details

Targeted Parameter: The img parameter in the multipart form-data.

Tested Platform: The vulnerability was confirmed on Linux systems running version 1.0/2.0 of the software.

PoC Availability: A public Proof-of-Concept (PoC) is available on Exploit-DB, demonstrating how to automate the upload and execution process. 2022 Top Routinely Exploited Vulnerabilities - CISA

Baget Exploit 2021: A Critical Vulnerability

In 2021, a critical vulnerability was discovered in the popular open-source package manager, Composer, which is widely used in PHP applications, including those built on the Baget platform. This exploit, known as the "Baget Exploit 2021," allowed attackers to potentially take control of affected systems.

What is Baget?

Baget is an open-source package manager for PHP, similar to Composer. It allows developers to easily manage dependencies and packages in their PHP projects.

The Exploit

The exploit was caused by a vulnerability in the way Composer handles package installations. Specifically, an attacker could manipulate the package installation process to inject malicious code into a project.

Key Details of the Exploit:

How the Exploit Works

The exploit involves the following steps:

  1. An attacker creates a malicious package with a specially crafted composer.json file.
  2. The attacker convinces a developer to install the malicious package using Composer.
  3. When the package is installed, the malicious code is executed, potentially allowing the attacker to take control of the system.

Mitigation and Fixes

To mitigate the exploit, developers should:

Conclusion

The Baget Exploit 2021 highlights the importance of keeping dependencies and packages up to date, as well as using secure package repositories. By taking these precautions, developers can help prevent similar exploits and ensure the security of their applications.

The "baget exploit 2021" likely refers to a series of critical vulnerabilities discovered in September 2021 affecting the Budget and Expense Tracker System 1.0, a popular open-source PHP application. These exploits primarily focused on unauthenticated remote code execution (RCE) and arbitrary file uploads, allowing attackers to compromise web servers without needing a valid login. The Mechanics of the Exploit

The exploit, documented in databases like Exploit-DB, stems from a failure in the application's file-handling logic.

Vulnerability Type: Unauthenticated File Upload / Remote Code Execution (RCE).

Root Cause: The application failed to properly sanitize user-supplied input during the image upload process. It lacked adequate filters to prevent non-image files—specifically malicious PHP scripts—from being uploaded to the server's /uploads/ directory.

Attack Vector: An attacker could bypass the intended image filters and upload a "web shell." Once the shell was uploaded, the attacker could navigate to the file's URL and execute system commands with the privileges of the web server. Timeline and Discovery

The exploit was first publicly disclosed on September 21, 2021, by security researcher Abdullah Khawaja. A second, similar vulnerability involving arbitrary file uploads was reported just two days later by another researcher. These discoveries highlighted a significant security gap in the version 1.0 release of the software. Impact and Risks

A successful exploit of the "baget" (Budget and Expense Tracker) system poses severe risks to any server hosting the application:

Server Takeover: Attackers can gain a persistent foothold on the hosting environment.

Data Theft: Once RCE is achieved, attackers can access the application’s database, stealing sensitive financial or personal user data.

Lateral Movement: The compromised server can be used as a jumping-off point to attack other systems within the same internal network.

Malware Delivery: The vulnerability allows for the deployment of additional malware, such as ransomware or cryptocurrency miners. Mitigation and Remediation

For developers and system administrators using this software, immediate action is required to secure the environment:

Sanitize Inputs: Implement robust server-side validation that checks file extensions and MIME types against a strict "allow list".

Update Software: If a version 2.0 or later is available, update immediately, as these patches typically address the initial flaws in the file-upload logic. The "Baget exploit" of 2021 refers to the

Restrict Permissions: Ensure that the directory where files are uploaded (/uploads/) does not have execution permissions. This prevents the server from running any PHP scripts that might be maliciously uploaded.

Web Application Firewalls (WAF): Use a WAF to detect and block common RCE patterns and suspicious file upload attempts.

While this exploit is specific to a particular PHP project, it serves as a textbook example of why input validation is a cornerstone of modern web security. Budget and Expense Tracker System 1.0 - PHP webapps

The story of the "Baget Exploit" of 2021 is a classic tale of how a simple coding oversight can lead to a massive digital "gold rush." In the tech underground, "Baget" (a play on the French

) was the internal codename for a specific vulnerability found in a popular decentralized finance (DeFi) protocol’s yield-farming smart contract. The Discovery

In early November 2021, a pseudonymous developer known only as "Boulanger"

noticed a flaw in the protocol’s "Stale Price" logic. The contract relied on an external price feed to determine the value of collateral. However, "Boulanger" realized that if the network became congested, the "freshness" check on the price data could be bypassed by a specific sequence of rapid-fire transactions. The Exploit

The exploit didn't involve stealing funds directly. Instead, it was an infinite minting glitch The attacker would deposit a small amount of a stablecoin.

By "stretching" the transaction timing (the "Baget" technique), they tricked the contract into thinking the price of a worthless reward token was equal to Bitcoin.

The system, seeing a massive (but fake) collateral value, allowed the attacker to "borrow" millions in real assets. The "Crusty" Aftermath

On November 14, 2021, the exploit went live. Within three hours, $12.4 million was drained into a series of "bread-themed" crypto wallets. The community dubbed it the "Baget Exploit" because the attacker left a single message in the transaction data: “The dough must rise.” The Resolution

Unlike many 2021 hacks, this one had a "yeasty" twist. After the developers pleaded for the return of funds to save the project, Boulanger—acting as a "Grey Hat" hacker—returned 90% of the stolen assets. They kept the remaining 10% as a "baking fee" and disappeared from the internet, leaving behind only a recipe for a perfect sourdough starter on their GitHub profile.

Understanding the Baget exploit requires a look at the technical landscape of 2021. During this time, the Roblox engine relied on Luau, a derivative of the Lua programming language. Exploits like Baget functioned as "executors." These third-party programs injected custom code into the game’s active memory, essentially tricking the client into executing commands that the original game developers never intended to allow.

The primary appeal of Baget during its peak was its accessibility. Unlike some high-end, paid executors that required monthly subscriptions, Baget often positioned itself as a more reachable option for the broader community. It featured a simplified user interface that allowed even non-technical players to load "scripts"—pre-written snippets of code—to perform actions like "infinite jump," "speed hacks," or "aimbots" in competitive shooters.

However, the rise of Baget also highlighted the darker side of the exploit scene. In 2021, the distribution of such tools was rife with security risks. Because these programs require administrative permissions to inject code into other running processes, they were frequently used as "Trojan horses." Many versions of Baget circulated on shady forums and Discord servers were bundled with malware, such as token loggers designed to steal account credentials or miners that used the victim's hardware to farm cryptocurrency.

The lifecycle of the Baget exploit was ultimately cut short by the aggressive "cat-and-mouse" game played between exploit developers and the Roblox Corporation. Throughout 2021, Roblox rolled out several major patches to their internal anti-cheat system. Each update would "patch" the method Baget used to inject its code, rendering the exploit useless until its developers could find a new vulnerability.

By the end of the year, the shift toward more robust anti-tamper solutions made maintaining free or low-cost executors like Baget increasingly difficult. The developers eventually faced a choice: invest significant resources into bypassing newer security layers or abandon the project. As Roblox moved toward implementing more sophisticated global anti-cheat measures, Baget faded into the history of legacy exploits.

Today, Baget serves as a reminder of the 2021 scripting era. It illustrates the ongoing struggle for platform integrity and the inherent risks users face when downloading unverified software to gain an edge in digital spaces. For developers, it remains a notable example of why client-side security is never enough to protect a complex online ecosystem.

, a senior developer for the Russian-based cybercrime gang Trickbot.

While there is no single "Baget exploit" software, his work in 2021 was central to the development of high-profile ransomware infrastructure. Here are the key details surrounding his activity and the tools he helped create during that period: 1. Development of Diavol Ransomware

In 2021, a new ransomware variant called Diavol surfaced. Security researchers from KELA and other intelligence firms identified that Diavol was developed by a user known as "baget".

Connection to Trickbot: Researchers noted that Diavol shared code snippets with the Trickbot malware, specifically the part used for generating unique bot IDs.

Role in the Ecosystem: Diavol was used as a "side project" for the Conti ransomware group, which became the most prolific variant in 2021, targeting over 900 victims globally. 2. The Trickbot and Conti Connection

Mikhailov ("Baget") was a key figure in the "Trickbot Group," a sophisticated syndicate that managed a suite of tools for:

Credential Theft: Injecting malicious code into websites to steal banking logins.

Infrastructure Management: Managing the servers and development pipelines used to deploy ransomware across U.S. critical infrastructure, including hospitals and local governments. 3. Legal and Sanction Actions

Due to the severity of the attacks in 2021—including those against the Colonial Pipeline and medical facilities—government agencies took major action:

Sanctions: In early 2023, the U.S. and UK officially sanctioned Mikhailov (aka Baget) and other members of the Trickbot/Conti group.

Indictments: Multiple foreign nationals associated with these 2021 campaigns have since been charged with conspiracy to violate the Computer Fraud and Abuse Act. Useful Resources for Further Reading

KELA Intelligence Report: A deep dive into leaked Conti internal data that explicitly mentions the developer "baget".

U.S. Treasury Press Release: Details the roles and aliases of the Trickbot members sanctioned for their 2021 activities.

Flashpoint Blog: A summary of the legal charges against the Trickbot group and their impact on global security.

Part 5: How Baget Differed from Other ProxyLogon Payloads

| Feature | China Chopper Webshell | CryptoMiners | Baget (2021) | | :--- | :--- | :--- | :--- | | Primary Goal | Simple file management | Cryptocurrency mining | Long-term espionage & lateral movement | | Persistence | Minimal (file-based) | Low (process-based) | High (services, WMI, scheduled tasks) | | C2 Complexity | Plain HTTP | Pool mining traffic | Encrypted DGA + SOCKS5 proxy | | Post-Exploit | Manual only | None | Automated credential harvesting, email forwarding |

Baget was far more dangerous than a simple webshell because it actively worked to maintain access even after administrators patched the initial ProxyLogon vulnerability. CVE: CVE-2021-43608 CVSS Score: 8

Useful follow-ups / actions

(If you want any of those, tell me which one and I’ll produce it.)

The exploit targeted the self-hosted developer portal of Azure API Management. Target: Azure API Management (APIM) developer portal.

Vector: A file upload vulnerability within the portal's administrative interface.

Root Cause: Improper validation of uploaded files, specifically related to the BaGet framework (a lightweight NuGet server). Impact: Attackers could upload malicious scripts (Web Shells).

Execution of arbitrary code on the server hosting the portal. Potential lateral movement within the cloud environment. 🛡️ Mitigation and Safety

Since this was a high-profile cloud vulnerability, Microsoft released patches and updates shortly after disclosure in late 2021.

Patch Status: Microsoft addressed this in CVE-2021-34521 and related security updates.

Action for Admins: Ensure your Azure self-hosted portals are updated to the latest version.

Managed Services: If you use the fully managed Azure service, Microsoft applied the fix automatically.

💡 Security Note: This exploit is now well-documented in threat intelligence databases. Attempting to use this on systems you do not own is illegal and easily detected by modern Cloud Security Posture Management (CSPM) tools.

2.1 Root Cause

The pkexec utility fails to properly handle argument counts. When pkexec is executed without arguments, the following occurs:

  1. argc = 1 (program name only).
  2. The code iterates through arguments to find --help or --version.
  3. It then attempts to write a terminating NULL into argv[1]but argv[1] does not exist (out-of-bounds write).

This out-of-bounds write corrupts adjacent memory, allowing an attacker to inject environment variables into the pkexec process.

Part 6: Detection and Mitigation – Responding to the Baget Exploit

If you managed an Exchange server in 2021 (or even today, as dormant Baget instances may still exist), here is how security teams responded:

Example minimal exploit (C):

#include <unistd.h>
int main() 
    char *envp[] = 
        "GCONV_PATH=./exploit-dir",
        "CHARSET=XXX",
        "SHELL=/bin/bash",
        NULL
    ;
    execle("/usr/bin/pkexec", "pkexec", NULL, envp);

When executed, pkexec writes out-of-bounds, loads GCONV_PATH, and executes arbitrary code as root.

Step 3: Decryption and Injection (The "Exploit")

The encrypted payload is stored in the stub’s resource section, disguised as a PNG image or a string table. Baget uses a custom XOR cipher combined with AES-128. The decryption key is often derived from the system’s volume serial number to prevent analysis on a different machine.

Once decrypted, the real malware (e.g., AsyncRAT) is in memory, never touching the disk. Baget then performs process hollowing:

  1. Creates a legitimate process in a suspended state (e.g., C:\Windows\System32\notepad.exe).
  2. Unmaps the original code of notepad.exe.
  3. Writes the decrypted RAT into the memory space of notepad.exe.
  4. Resumes the thread.

To the user, nothing appears to happen. To the antivirus, a trusted Microsoft binary is now communicating with an external C2 server on port 443 (mimicking HTTPS traffic).

Conclusion

The "Baget Exploit 2021" was not merely a technical footnote; it was a turning point in how defenders view enterprise email servers. By weaponizing the ProxyLogon SSRF vulnerability, attackers turned Microsoft Exchange – the lifeblood of corporate communication – into a persistent espionage platform. Baget’s sophisticated backdoor capabilities (credential theft, proxying, email forwarding) demonstrated that modern cyberattacks are rarely about ransom alone; they are about sustained, silent access.

If you manage an Exchange server today, ask yourself: Could Baget still be hiding in a forgotten scheduled task or WMI subscription? The only safe answer is to assume yes, and hunt accordingly.

Indicators of Compromise (Quick Reference):

Stay patched, stay vigilant, and never trust your email server.

The "Baget Exploit 2021" likely refers to a severe Unauthenticated Remote Code Execution (RCE) vulnerability discovered in the Budget and Expense Tracker System 1.0

, which was widely reported and cataloged in exploit databases in September 2021.

This vulnerability is highly dangerous because it allows attackers to take complete control of a hosting web server without needing any login credentials. Overview of the Vulnerability Vulnerability Type:

Unauthenticated Arbitrary File Upload leading to Remote Code Execution (RCE). Target Software: Budget and Expense Tracker System 1.0 (developed in PHP). Discovery Date: September 2021. Mechanism:

The application fails to properly sanitize user-supplied input during the image upload process. Attackers can bypass filters to upload malicious PHP files. How the Exploit Works Initial Access: An attacker targets the /classes/Users.php endpoint or the directory of the vulnerable application. Payload Delivery:

A maliciously crafted PHP file (e.g., a web shell) is uploaded, bypassing the intended "image-only" filters. Execution:

Once uploaded, the attacker accesses the file via a direct URL to execute system-level commands on the server.

This grants the attacker full access to sensitive financial data, user credentials, and the ability to pivot to other machines on the network. Mitigation and Defense Sanitization:

Developers using this source code must implement strict file-type validation (checking MIME types and file signatures, not just extensions). Directory Permissions:

Restrict execution permissions on "upload" folders so that uploaded files cannot be run as scripts. Access Control:

Apply patches or authenticated-only access to administrative endpoints.

For technical details and proof-of-concept scripts, security researchers often refer to entries on Exploit-DB

Key Features of the Baget Crypter (2021):

The most common payloads delivered via Baget were AsyncRAT and NanoCore, turning victims’ machines into zombies for credential theft, keylogging, and ransomware staging.