DripDropper malware activity on cloud Linux systems
Malware Activity
Summary
Hide ▲
Show ▼
The DripDropper malware was deployed on cloud Linux systems after attackers abused Apache ActiveMQ CVE-2023-46604, creating a persistent foothold that could evade detection. The malware used covert C2 channels, including Dropbox, Sliver, and Cloudflare Tunnels, to maintain long-term access. It also altered sshd and cron-based persistence mechanisms such as 0anacron under /etc/cron.hourly. The activity shows a post-exploitation toolset designed for durable remote control rather than a one-time payload.
Related Happenings
ShadowV2 cloud-native DDoS botnet activity
Malware Activity
First: 23.09.2025 23:35
Last: 23.09.2025 23:35
Sources 1
About this happening:
The **ShadowV2** **DDoS-for-hire botnet** is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets **Internet-exposed...
ShadowV2 cloud-native DDoS botnet activity
Malware ActivityAbout this happening: The **ShadowV2** **DDoS-for-hire botnet** is actively being used against websites, and its cloud-native design makes it harder to detect and disrupt. It targets **Internet-exposed...
ShadowV2 botnet malware activity against AWS Docker containers
Malware Activity
First: 23.09.2025 14:26
Last: 23.09.2025 14:26
Sources 1
About this happening:
**ShadowV2** is now being used as a **DDoS-for-hire botnet** that turns **misconfigured Docker containers on AWS** into attack nodes, increasing the risk of large-scale denial-of-...
ShadowV2 botnet malware activity against AWS Docker containers
Malware ActivityAbout this happening: **ShadowV2** is now being used as a **DDoS-for-hire botnet** that turns **misconfigured Docker containers on AWS** into attack nodes, increasing the risk of large-scale denial-of-...
Timeline
-
19.08.2025 20:37 1 articles · 9mo ago
DripDropper activity on cloud Linux systems
Initial DisclosureResearchers observed threat actors exploiting CVE-2023-46604 in Apache ActiveMQ to gain persistent access to cloud Linux systems, modify sshd to enable root login, deploy the password-protected DripDropper ELF downloader, and use Dropbox, Sliver, and Cloudflare Tunnels for covert command and control. The activity also included cron-based persistence through 0anacron under /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, and /etc/cron.monthly, along with downloading Apache Maven patches for CVE-2023-46604 after access was established to block follow-on exploitation.
Show sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37