DripDropper Malware Campaign Targets Linux Servers via Apache ActiveMQ Vulnerability
Summary
Hide ▲
Show ▼
A threat actor, dubbed DripDropper, is exploiting a nearly 2-year-old vulnerability in Apache ActiveMQ to compromise Linux servers. The attacker installs malicious software and then patches the same vulnerability to prevent other threat actors from exploiting it. The campaign involves deploying a new malware loader that communicates with an attacker-controlled Dropbox account. The attackers use various tools and techniques to maintain persistence and control over compromised systems. The campaign targets Linux servers vulnerable to CVE-2023-46604, a remote code execution bug in Apache ActiveMQ. The attackers use this vulnerability to gain initial access and run reconnaissance commands. They then select specific servers for follow-up activity, deploying tools like the Sliver framework and Cloudflare Tunnels for ongoing access. The DripDropper loader communicates with a Dropbox account using a hardcoded token, ensuring persistence and control over compromised systems. The attackers also patch the vulnerability to prevent other threat actors from exploiting it, reducing the likelihood of detection. The DripDropper malware modifies existing sshd configurations to enable root login, granting elevated access and alters existing configuration files related to SSH as a backup mechanism for persistent access. The attackers download patches for CVE-2023-46604 from Apache Maven to plug the vulnerability, ensuring they maintain access.
Timeline
-
19.08.2025 16:00 2 articles · 1mo ago
DripDropper Campaign Exploits Apache ActiveMQ Vulnerability to Target Linux Servers
The DripDropper malware modifies existing sshd configurations to enable root login, granting elevated access. The DripDropper downloader communicates with an attacker-controlled Dropbox account, using legitimate services to blend in with regular network activity and sidestep detection. The DripDropper loader is a PyInstaller Executable and Linkable Format (ELF) binary that requires a password to run, resisting analysis. The DripDropper downloader serves as a conduit for two files, one facilitating varied actions on different endpoints and the other contacting Dropbox for further instructions. The malware modifies cron job files in /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly directories to achieve persistence. The DripDropper malware alters existing configuration files related to SSH as a backup mechanism for persistent access. The attackers download patches for CVE-2023-46604 from Apache Maven to plug the vulnerability, ensuring they maintain access.
Show sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
Information Snippets
-
The DripDropper campaign exploits CVE-2023-46604, a remote code execution bug in Apache ActiveMQ, to compromise Linux servers.
First reported: 19.08.2025 16:002 sources, 2 articlesShow sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The attackers use various tools, including the Sliver framework and Cloudflare Tunnels, to maintain persistence and control over compromised systems.
First reported: 19.08.2025 16:002 sources, 2 articlesShow sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The DripDropper loader is an encrypted PyInstaller ELF binary that communicates with an attacker-controlled Dropbox account using a hardcoded token.
First reported: 19.08.2025 16:002 sources, 2 articlesShow sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The attackers patch the exploited vulnerability to prevent other threat actors from exploiting it, reducing the likelihood of detection.
First reported: 19.08.2025 16:002 sources, 2 articlesShow sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The campaign involves deploying persistence mechanisms and adjusting SSH-related settings to maintain access to compromised systems.
First reported: 19.08.2025 16:002 sources, 2 articlesShow sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The attackers use public platforms like Discord, Telegram, and Dropbox for command-and-control communications, a technique used by various adversaries and malware families.
First reported: 19.08.2025 16:001 source, 1 articleShow sources
- 'DripDropper' Hackers Patch Their Own Exploit — www.darkreading.com — 19.08.2025 16:00
-
The DripDropper malware modifies existing sshd configurations to enable root login, granting elevated access.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The DripDropper downloader communicates with an attacker-controlled Dropbox account, using legitimate services to blend in with regular network activity and sidestep detection.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The DripDropper loader is a PyInstaller Executable and Linkable Format (ELF) binary that requires a password to run, resisting analysis.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The DripDropper downloader serves as a conduit for two files, one facilitating varied actions on different endpoints and the other contacting Dropbox for further instructions.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The DripDropper malware modifies cron job files in /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly directories to achieve persistence.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The DripDropper malware alters existing configuration files related to SSH as a backup mechanism for persistent access.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The attackers download patches for CVE-2023-46604 from Apache Maven to plug the vulnerability, ensuring they maintain access.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
-
The campaign leverages the Apache ActiveMQ vulnerability to deploy various payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.
First reported: 19.08.2025 20:371 source, 1 articleShow sources
- Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems — thehackernews.com — 19.08.2025 20:37
Similar Happenings
XCSSET macOS Malware Targets Xcode Developers with Enhanced Features
A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.
ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection
A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks
Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.
Brickstorm Malware Used in Long-Term Espionage Against U.S. Organizations
The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.