Apache ActiveMQ CVE-2023-46604 exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
A heavy exploitation wave is targeting Apache ActiveMQ CVE-2023-46604, creating broad post-compromise risk for cloud Linux systems. Multiple threat actors are using the flaw to deploy payloads such as HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell. In some attacks, operators modify sshd to enable root login and use Sliver or Cloudflare Tunnels for covert control. Attackers have also been observed patching the exploited flaw after access, which helps them block rival exploitation and preserve persistence.
Related Happenings
UNC6485 Triofox CVE-2025-12480 exploitation campaign
Campaign
First: 10.11.2025 22:49
Last: 10.11.2025 22:49
Sources 1
About this happening:
The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
CampaignAbout this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
Vulnerability
First: 29.10.2025 09:44
Last: 29.10.2025 09:44
Sources 1
About this happening:
The **XWiki** eval injection flaw **CVE-2025-24893** is being **actively exploited**, putting exposed servers at risk of **remote code execution** via **/bin/get/Main/SolrSearch**...
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
VulnerabilityAbout this happening: The **XWiki** eval injection flaw **CVE-2025-24893** is being **actively exploited**, putting exposed servers at risk of **remote code execution** via **/bin/get/Main/SolrSearch**...
Jenkins server actively exploited security flaw (CVE-2024-23897)
Vulnerability
First: 16.10.2025 17:28
Last: 16.10.2025 17:28
Sources 1
About this happening:
In an **AWS-hosted environment**, **CVE-2024-23897** on an **exposed Jenkins server** was used as the initial foothold, creating an intrusion path that led to malware deployment o...
Jenkins server actively exploited security flaw (CVE-2024-23897)
VulnerabilityAbout this happening: In an **AWS-hosted environment**, **CVE-2024-23897** on an **exposed Jenkins server** was used as the initial foothold, creating an intrusion path that led to malware deployment o...
ShadowV2 cloud-native DDoS botnet activity
Malware Activity
First: 23.09.2025 23:35
Last: 23.09.2025 23:35
Sources 1
About this happening:
The **ShadowV2** **DDoS-for-hire botnet** is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets **Internet-exposed...
ShadowV2 cloud-native DDoS botnet activity
Malware ActivityAbout this happening: The **ShadowV2** **DDoS-for-hire botnet** is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets **Internet-exposed...
ShadowV2 botnet malware activity against AWS Docker containers
Malware Activity
First: 23.09.2025 14:26
Last: 23.09.2025 14:26
Sources 1
About this happening:
**ShadowV2** is now being used as a **DDoS-for-hire botnet** that turns **misconfigured Docker containers on AWS** into attack nodes, increasing the risk of large-scale denial-of-...
ShadowV2 botnet malware activity against AWS Docker containers
Malware ActivityAbout this happening: **ShadowV2** is now being used as a **DDoS-for-hire botnet** that turns **misconfigured Docker containers on AWS** into attack nodes, increasing the risk of large-scale denial-of-...
Timeline
-
19.08.2025 20:37 1 articles · 9mo ago
Apache ActiveMQ CVE-2023-46604 exploitation with DripDropper
Technical Analysis UpdateThreat actors are exploiting CVE-2023-46604 in Apache ActiveMQ to gain persistent access to cloud Linux systems, modify sshd configurations to enable root login, and deploy the DripDropper downloader. The activity includes covert command and control through Sliver and Cloudflare Tunnels, attacker-controlled Dropbox communications, and a final step that downloads Apache Maven patches for CVE-2023-46604 after access is established, allowing the operators to block rival exploitation while preserving their own persistence.
Show sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37