CyberHappenings logo
☰

DripDropper Malware Campaign Exploits and Patches CVE-2023-46604 in Apache ActiveMQ

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A threat actor, dubbed DripDropper, exploited a nearly 2-year-old vulnerability (CVE-2023-46604) in Apache ActiveMQ to compromise Linux servers. The attacker then patched the same vulnerability to prevent other threat actors from exploiting it. The campaign involved deploying a new malware loader, DripDropper, which communicates with an attacker-controlled Dropbox account. The attackers used various tools, including the Sliver framework and Cloudflare Tunnels, to maintain persistent access to compromised systems. The attackers modified existing sshd configurations to enable root login, granting them elevated access. The DripDropper malware is a PyInstaller ELF binary that requires a password to run, resisting analysis. The campaign highlights the importance of timely patching and robust security practices. The attackers targeted Linux servers running vulnerable versions of Apache ActiveMQ. They used the vulnerability to gain initial access, perform reconnaissance, and deploy malware. The campaign was discovered by Red Canary while monitoring cloud-based Linux environments. The attackers' tactics included patching the exploited vulnerability to prevent other threat actors from using the same flaw and to avoid detection by automated scans.

Timeline

  1. 19.08.2025 16:00 πŸ“° 2 articles

    DripDropper Campaign Exploits and Patches CVE-2023-46604 in Apache ActiveMQ

    A threat actor, dubbed DripDropper, exploited a nearly 2-year-old vulnerability (CVE-2023-46604) in Apache ActiveMQ to compromise Linux servers. The attacker then patched the same vulnerability to prevent other threat actors from exploiting it. The campaign involved deploying a new malware loader, DripDropper, which communicates with an attacker-controlled Dropbox account. The attackers used various tools, including the Sliver framework and Cloudflare Tunnels, to maintain persistent access to compromised systems. The attackers modified existing sshd configurations to enable root login, granting them elevated access. The DripDropper malware is a PyInstaller ELF binary that requires a password to run, resisting analysis. The campaign highlights the importance of timely patching and robust security practices. The campaign was discovered by Red Canary while monitoring cloud-based Linux environments. The attackers' tactics included patching the exploited vulnerability to prevent other threat actors from using the same flaw and to avoid detection by automated scans. The campaign offers a timely reminder for why organizations need to apply patches in a timely fashion, limit access to internal services by configuring ingress rules to trusted IP addresses or VPNs, and monitor logging for cloud environments to flag anomalous activity.

    Show sources

Information Snippets

Similar Happenings

HybridPetya Ransomware Bypasses UEFI Secure Boot via CVE-2024-7344

A new ransomware strain, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware and can bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and installs a malicious EFI application on the EFI System Partition. The ransomware has two main components: a bootkit and an installer. The bootkit handles encryption and decryption processes, displaying fake CHKDSK messages to deceive victims. The ransom note demands $1,000 in Bitcoin, with a wallet receiving $183.32 between February and May 2025. HybridPetya exploits a remote code execution vulnerability in the Howyar Reloader UEFI application, allowing it to bypass Secure Boot. The variant uses a specially crafted file named 'cloak.dat' to load the bootkit binary. Microsoft revoked the vulnerable binary in January 2025. ESET's telemetry data indicates no evidence of HybridPetya being used in the wild, suggesting it may be a proof-of-concept (PoC). The ransomware incorporates characteristics from both Petya and NotPetya, including the visual style and attack chain. It drops several files into the EFI System Partition, including configuration, validation, and encryption progress tracking files. The ransom note provides a 32-character key for decryption and system restoration upon payment. Indicators of compromise for HybridPetya are available on a GitHub repository. Microsoft fixed CVE-2024-7344 with the January 2025 Patch Tuesday updates.

CVE-2025-5086 in DELMIA Apriso Exploited in the Wild

A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.

Akira Ransomware Exploits SonicWall SSL VPN Flaws and Misconfigurations

The Akira ransomware group has been actively exploiting vulnerabilities and misconfigurations in SonicWall SSL VPN devices to gain initial access to networks. This campaign has seen increased activity since late July 2025, targeting organizations globally, including those in Australia. The attacks leverage a year-old flaw (CVE-2024-40766) and misconfigured LDAP settings to bypass access controls and facilitate ransomware deployment. The threat actors use a combination of brute-forcing credentials, exploiting default configurations, and leveraging the Virtual Office Portal to configure multi-factor authentication (MFA) with valid accounts. These tactics allow them to bypass security measures and gain unauthorized access to networks. SonicWall has confirmed that recent SSLVPN activity is related to CVE-2024-40766, not a zero-day vulnerability. The affected firewall versions include specific models of Gen 5, Gen 6, and Gen 7 devices. Organizations are advised to update to firmware version 7.3.0 or later, rotate passwords, enforce MFA, mitigate the SSLVPN Default Groups risk, and restrict Virtual Office Portal access to trusted/internal networks to mitigate risks.

Axios Abuse and Salty 2FA Kits in Microsoft 365 Phishing Campaigns

Threat actors are leveraging HTTP client tools like Axios and Microsoft's Direct Send feature to execute advanced phishing campaigns targeting Microsoft 365 environments. These campaigns have demonstrated a 70% success rate, bypassing traditional security defenses and exploiting authentication workflows. The attacks began in July 2025 and have targeted executives and managers in various sectors, including finance, healthcare, and manufacturing. The phishing campaigns use compensation-themed lures to trick recipients into opening malicious PDFs containing QR codes that direct users to fake login pages. Additionally, a phishing-as-a-service (PhaaS) offering called Salty 2FA is being used to steal Microsoft login credentials and bypass multi-factor authentication (MFA). The Salty2FA kit includes advanced features such as subdomain rotation, dynamic corporate branding, and sophisticated evasion tactics to enhance its effectiveness and evade detection. Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April 2025. The campaigns have been active since late July 2025 and continue to this day, generating dozens of fresh analysis sessions daily. Salty2FA targets industries including finance, energy, telecom, healthcare, government, logistics, IT consulting, education, construction, chemicals, industrial manufacturing, real estate, consulting, metallurgy, and more.

TOR-based Cryptojacking Campaign Targets Misconfigured Docker APIs

A new variant of a TOR-based cryptojacking campaign targets misconfigured Docker APIs to propagate malware. The attack chain involves exploiting exposed Docker instances to deploy XMRig miners and reconnaissance tools. The malware also scans for additional ports and attempts to propagate via Telnet and Chromium remote debugging ports. The campaign may be setting up a complex botnet. The attack leverages Base64-encoded payloads and TOR domains for anonymity. It includes a dropper written in Go that parses user login information and uses Masscan for further propagation. The malware's source code includes an emoji, suggesting it may have been crafted using a large language model (LLM). The attackers mount the host root to the fresh container, allowing them to manipulate the host system and escape the container. The attackers modify the SSH configuration of the host system to elevate privileges and provide backdoor access. The attackers create a cron job that executes every minute to block access to the Docker API’s port 2375, denying other attackers future access to the exposed instance. The threat actors deploy tools to perform mass scans for other open 2375 ports, which are used for malware propagation through the creation of new containers using the identified exposed APIs. The malware installs curl and tor, launches a Tor daemon, and waits for confirmation of the connection by accessing Amazon's checkip.amazonaws.com service over a SOCKS5 proxy. The malware appends an attacker-controlled public key to /root/.ssh/authorized_keys on the mounted host filesystem to enable persistent SSH access. The malware writes a base64-encoded cron job on the host, which executes every minute and blocks external access to port 2375 using available firewall utilities. The malware downloads a Zstandard-compressed Go binary over Tor, decompresses it, and runs it as a dropper. The Go binary parses the host’s utmp file to identify logged-in users. The malware attempts to infect other exposed Docker APIs and removes competitor containers after gaining access. The malware includes inactive logic for exploiting Telnet (port 23) using default router credentials and for interacting with Chrome’s remote debugging interface (port 9222). The malware's behavior suggests it is an initial version of a complex botnet with capabilities for lateral movement, persistence, and potential future expansion for credential theft and browser hijacking. The campaign highlights the importance of securing Docker APIs and segmenting networks to prevent such attacks.