Hackers exploited a zero-day vulnerability in KnowledgeDeliver, a learning management system widely used in Japan, to deploy web shells and Cobalt Strike backdoors. The flaw, tracked as CVE-2026-5426, stemmed from hardcoded encryption keys in Digital Knowledge deployments that allowed attackers to craft malicious payloads and compromise systems through ViewState deserialization attacks. Google's Mandiant says the threat actors used Godzilla web shells to modify access permissions and deliver fake security alerts before ultimately infecting systems with custom backdoors, and all KnowledgeDeliver deployments before February 24, 2026 are potentially at risk.