Apache ActiveMQ CVE-2023-46604 Linux server intrusion campaign
Campaign
Summary
Hide ▲
Show ▼
A Linux server intrusion campaign is abusing Apache ActiveMQ CVE-2023-46604 to gain access, run reconnaissance, and plant follow-on tooling on dozens of systems. The operators then use Sliver, Cloudflare Tunnels, and DripDropper to maintain hidden access and expand control. They also patch the exploited flaw on compromised hosts, which conceals the entry point and blocks other attackers from using it.
Related Happenings
UNC6485 Triofox CVE-2025-12480 exploitation campaign
Campaign
First: 10.11.2025 22:49
Last: 10.11.2025 22:49
Sources 1
About this happening:
The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
UNC6485 Triofox CVE-2025-12480 exploitation campaign
CampaignAbout this happening: The **UNC6485** campaign is actively exploiting **CVE-2025-12480** in **Gladinet Triofox**, turning a patched flaw into unauthorized access and post-exploitation footholds. The ac...
Timeline
-
19.08.2025 16:00 1 articles · 9mo ago
CVE-2023-46604 Linux campaign uses DripDropper and self-patching
Technical Analysis UpdateA campaign against vulnerable Linux servers abused CVE-2023-46604 in Apache ActiveMQ for initial access, then ran reconnaissance on dozens of hosts, deployed Sliver or routed access through Cloudflare Tunnels on selected machines, installed the encrypted PyInstaller ELF loader DripDropper with Dropbox-based command-and-control, and finally replaced vulnerable Apache ActiveMQ components with patched JAR files to conceal the entry point and block rival exploitation.
Show sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00