CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

DripDropper Malware Campaign Targeting Apache ActiveMQ Vulnerability

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

A threat actor is exploiting a nearly 2-year-old vulnerability in Apache ActiveMQ (CVE-2023-46604) to compromise Linux servers. The attacker installs malicious software and then patches the vulnerability to prevent other threat actors from exploiting it. The malware, dubbed DripDropper, communicates with a Dropbox account controlled by the attacker. The campaign involves reconnaissance, deployment of persistence mechanisms, and patching the exploited vulnerability to hide traces. The attack targets Linux servers running vulnerable versions of Apache ActiveMQ. The malware uses various tools, including the Sliver framework and Cloudflare Tunnels, to maintain access and control over compromised systems. The attacker's actions aim to secure their access while preventing detection by defenders. The campaign highlights the importance of timely patching and robust security practices to protect critical infrastructure. The vulnerability has also been exploited by multiple threat actors to deploy a wide range of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.

Timeline

  1. 19.08.2025 16:00 πŸ“° 2 articles Β· ⏱ 28d ago

    DripDropper Malware Campaign Exploits Apache ActiveMQ Vulnerability

    The attacker patches the exploited vulnerability to prevent other threat actors from using it, ensuring their access remains secure. The malware generates additional files on compromised systems to maintain persistence and backchannel access. The attacker's tactics include using public platforms like Dropbox for command-and-control communications. The attack activity has been observed leveraging the access to modify existing sshd configurations to enable root login, granting them elevated access to drop the DripDropper downloader. The downloader serves as a conduit for two files, one of which facilitates a varied set of actions on different endpoints, ranging from process monitoring to contacting Dropbox for further instructions. Persistence of the dropped file is achieved by modifying the 0anacron file present in /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly directories. The second file dropped by DripDropper is designed to contact Dropbox for receiving commands, while also altering existing configuration files related to SSH, likely as a backup mechanism for persistent access. The attack campaign has been observed using the Apache Maven repository to download patches for CVE-2023-46604, effectively plugging the flaw.

    Show sources

Information Snippets

Similar Happenings

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.

Supply Chain Attack Targeting npm Registry Compromises 40 Packages

A supply chain attack targeting the npm registry has compromised over 187 packages maintained by multiple developers. The attack uses a malicious script (bundle.js) to steal credentials from developer machines. The compromised packages include various npm modules used in different projects. The attack is capable of targeting both Windows and Linux systems. The malicious script scans for secrets using TruffleHog's credential scanner and transmits them to an external server controlled by the attackers. Developers are advised to audit their environments and rotate credentials if the affected packages are present.

UNC6040 and UNC6395 Target Salesforce Platforms in Data Theft Campaigns

The FBI has issued an alert about two cybercriminal groups, UNC6040 and UNC6395, targeting Salesforce platforms for data theft and extortion. UNC6395 exploited compromised OAuth tokens for the Salesloft Drift application, while UNC6040 used vishing campaigns and modified Salesforce tools to breach Salesforce instances. Both groups have been active since at least October 2024, impacting multiple organizations. UNC6040 has been linked to extortion activities, with Google attributing these to a separate cluster, UNC6240, which has claimed to be the ShinyHunters group. The ShinyHunters group, along with Scattered Spider and LAPSUS$, recently announced they are going dark, but experts warn that the threat persists. UNC6040 impersonated corporate IT support personnel to gain access to Salesforce environments and used modified versions of Salesforce's Data Loader to exfiltrate data. Salesforce re-enabled integrations with Salesloft technologies, except for the Drift app, which remains disabled.

Fourth Spyware Campaign Targeting French Apple Users in 2025

Apple has notified French users of a fourth spyware campaign in 2025. The Computer Emergency Response Team of France (CERT-FR) confirmed the alerts on September 3, 2025. The campaign targets individuals based on their status or function, including journalists, lawyers, activists, politicians, and senior officials. The alerts are part of a series of notifications sent throughout the year, with previous alerts on March 5, April 29, and June 25. These alerts indicate that at least one device linked to the users' iCloud accounts may have been compromised in highly-targeted attacks. The campaign follows a previous incident involving a security flaw in WhatsApp (CVE-2025-55177) and an Apple iOS bug (CVE-2025-43300), which were used in zero-click attacks. Apple has been sending these notifications since November 2021. Apple introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities.

New HybridPetya Ransomware Exploits UEFI Secure Boot Bypass Vulnerability

A new ransomware variant, HybridPetya, has been discovered. It resembles the Petya/NotPetya malware but includes the ability to bypass UEFI Secure Boot using the CVE-2024-7344 vulnerability. HybridPetya encrypts the Master File Table (MFT) on NTFS-formatted partitions and can compromise modern UEFI-based systems. The ransomware operates through a bootkit and an installer, with the bootkit managing encryption and decryption processes. The ransomware has been observed in samples uploaded to VirusTotal in February 2025, with no evidence of active use in the wild. The vulnerability exploited by HybridPetya was patched in January 2025. The ransomware encrypts the MFT and displays a fake CHKDSK message to deceive victims. It demands a $1,000 ransom in Bitcoin, with a total of $183.32 received between February and May 2025. The ransom note provides an option for victims to enter a decryption key after payment, which triggers the decryption process. The bootkit also recovers legitimate bootloaders from backups created during installation. The ransomware triggers a system crash during bootloader changes, ensuring the bootkit binary is executed upon reboot. HybridPetya may be a research project, proof-of-concept, or early version of a cybercrime tool under limited testing. HybridPetya combines the destructive capabilities of NotPetya, the recoverable encryption functionality of Petya ransomware, and the ability to bypass Secure Boot protections. It can deploy malicious UEFI payloads directly to the EFI System Partition and encrypt the Master File Table (MFT). HybridPetya's ability to install harmful code directly into a computer's UEFI firmware makes it hard for security teams to detect. The emergence of HybridPetya highlights the growing threat from UEFI bootkits that reside at a computer's startup sequence level.