Apache ActiveMQ CVE-2023-46604 exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
A heavy exploitation wave is targeting Apache ActiveMQ CVE-2023-46604, creating broad post-compromise risk for cloud Linux systems. Multiple threat actors are using the flaw to deploy payloads such as HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell. In some attacks, operators modify sshd to enable root login and use Sliver or Cloudflare Tunnels for covert control. Attackers have also been observed patching the exploited flaw after access, which helps them block rival exploitation and preserve persistence.
Related Happenings
Marimo CVE-2026-39987 exploitation wave
Exploitation Wave
H score51
First: 12.04.2026 17:20
Last: 12.04.2026 17:20
Sources 1
About this happening:
**Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
Marimo CVE-2026-39987 exploitation wave
Exploitation WaveAbout this happening: **Marimo** exploitation activity surged **within 12 hours of disclosure**, with **125 IP addresses** beginning reconnaissance against **CVE-2026-39987** and the **/terminal/ws** e...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
Campaign
H score40
First: 10.11.2025 22:49
Last: 10.11.2025 22:49
Sources 1
About this happening:
The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
CampaignAbout this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
Vulnerability
H score56
First: 29.10.2025 09:44
Last: 29.10.2025 09:44
Sources 1
About this happening:
The **XWiki** eval injection flaw **CVE-2025-24893** is being **actively exploited**, putting exposed servers at risk of **remote code execution** via **/bin/get/Main/SolrSearch**...
XWiki eval injection actively exploited remote code execution flaw (CVE-2025-24893)
VulnerabilityAbout this happening: The **XWiki** eval injection flaw **CVE-2025-24893** is being **actively exploited**, putting exposed servers at risk of **remote code execution** via **/bin/get/Main/SolrSearch**...
Jenkins server actively exploited security flaw (CVE-2024-23897)
Vulnerability
H score0
First: 16.10.2025 17:28
Last: 16.10.2025 17:28
Sources 1
About this happening:
In an **AWS-hosted environment**, **CVE-2024-23897** on an **exposed Jenkins server** was used as the initial foothold, creating an intrusion path that led to malware deployment o...
Jenkins server actively exploited security flaw (CVE-2024-23897)
VulnerabilityAbout this happening: In an **AWS-hosted environment**, **CVE-2024-23897** on an **exposed Jenkins server** was used as the initial foothold, creating an intrusion path that led to malware deployment o...
ShadowV2 cloud-native DDoS botnet activity
Malware Activity
H score31
First: 23.09.2025 23:35
Last: 23.09.2025 23:35
Sources 1
About this happening:
The **ShadowV2** **DDoS-for-hire botnet** is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets **Internet-exposed...
ShadowV2 cloud-native DDoS botnet activity
Malware ActivityAbout this happening: The **ShadowV2** **DDoS-for-hire botnet** is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets **Internet-exposed...
Timeline
-
19.08.2025 20:37 1 articles · 10mo ago
Apache ActiveMQ CVE-2023-46604 exploitation with DripDropper
Technical Analysis UpdateThreat actors are exploiting CVE-2023-46604 in Apache ActiveMQ to gain persistent access to cloud Linux systems, modify sshd configurations to enable root login, and deploy the DripDropper downloader. The activity includes covert command and control through Sliver and Cloudflare Tunnels, attacker-controlled Dropbox communications, and a final step that downloads Apache Maven patches for CVE-2023-46604 after access is established, allowing the operators to block rival exploitation while preserving their own persistence.
Show sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37