⚠️ Overview

Kadimus is an open-source web application vulnerability scanner and exploitation tool developed by an anonymous security researcher using the pseudonym “MrTux” and maintained on GitHub (https://github.com/Matir/Kadimus). Originally released in 2013, it is written in Python and designed to automate the detection and exploitation of common web vulnerabilities, specifically SQL injection, arbitrary file reading, local file inclusion (LFI), and cross-site scripting (XSS). The tool is often used by penetration testers but has been extensively repurposed by threat actors for unauthorized attacks, leading to its classification as a confirmed malicious bot.

🔧 Technical Capabilities

Kadimus performs automated scanning for over a dozen vulnerability classes, including blind and error-based SQL injection, time-based SQLi, LFI, FTP injection (via ftp:// URLs), arbitrary file disclosure, and command injection. It uses a plugin-based architecture with modules such as sqli, lfi, xss, cmdi, and dirbust to probe targets. The tool generates random User-Agent strings by default to evade simple signature-based detection, and it can perform recursive crawling of a target site to identify injectable parameters. Kadimus supports both GET and POST parameter fuzzing, cookie manipulation, and the use of custom payloads from the included payload database located in the plugins/payloads/ directory. It also features a “verbose” mode that logs every request and response, making it useful for both attackers and defenders in understanding attack patterns. The tool is capable of exploiting found vulnerabilities in a single command, such as reading arbitrary files from the server (e.g., /etc/passwd) or extracting database credentials via SQL injection.

📜 History & Notable Incidents

Kadimus was first publicly released on GitHub in 2013 and saw active development until 2016, after which it remained largely unmaintained but still functional. Notable incidents include its use in automated scans against WordPress and Joomla sites during the 2015-2017 period, where attackers leveraged its LFI module to read configuration files containing database credentials. Multiple CVEs have been discovered in target applications specifically exploited by Kadimus payloads, such as CVE-2016-10017 (unauthenticated LFI in Magento) and CVE-2015-3306 (FTP injection attack on Exim mail servers), which Kadimus’s plugins can directly exploit. Although the tool is outdated, it remains widely distributed on underground forums and is still actively used in mass scanning campaigns due to its lightweight nature and efficiency.

🔍 Detection Indicators

Kadimus traffic exhibits several behavioral fingerprints: it sends rapid sequential requests with low inter-request delays (typically 0.5-2 seconds), uses a variety of User-Agent strings including common browsers like Chrome and Firefox but with slight variations (e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36” is frequently observed). A consistent indicator is the presence of unique URL parameters containing payloads such as ?id=1 AND 1=1 or ?file=../../../../../etc/passwd. The tool also sends frequent 404 errors when testing non-existent endpoints, and its requests often lack common browser headers like Accept-Language. Security teams can detect Kadimus by monitoring for high volumes of requests containing common LFI and SQLi patterns combined with low inter-request times.

☠️ Risk & Impact

Successful exploitation by Kadimus can lead to complete server compromise: attackers can retrieve sensitive files (e.g., /etc/passwd, database connection strings, private SSH keys), extract entire database contents via SQL injection, and execute arbitrary commands on web servers. In many documented cases, Kadimus scans have resulted in data breaches affecting thousands of websites, with attackers exfiltrating credential hashes and personal identifiable information (PII). The tool’s ability to chain multiple vulnerabilities (e.g., LFI to read /proc/self/environ to obtain PHP session data) increases the risk of privilege escalation and lateral movement within an organization’s infrastructure.

🛡️ Mitigation

Kadimus is blocked immediately upon detection because its aggressive scanning pattern and payload-based requests almost guarantee malicious intent—it is not used for legitimate authorized testing without prior consent. Immediate blocking of requests containing its signature payload patterns (e.g., “../”, “1=1”, “UNION SELECT”) and strict throttling of request rates from unknown IPs effectively neutralize this threat.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.