August 19, 2025 By Ravie Lakshmanan
Threat actors are exploiting a nearly two-year-old security flaw in Apache ActiveMQ to gain persistent access to cloud Linux systems and deploy malware called DripDropper.
But in an unusual twist, the unknown attackers have been observed patching the exploited vulnerability after securing initial access to prevent further exploitation by other adversaries and evade detection, Red Canary said in a report shared with The Hacker News.
"Follow-on adversary command-and-control (C2) tools varied by endpoint and included Sliver, and Cloudflare Tunnels to maintain covert command and control over the long term," researchers Christina Johns, Chris Brook, and Tyler Edmonds said.
The attacks exploit a maximum-severity security flaw in Apache ActiveMQ (CVE-2023-46604, CVSS score: 10.0), a remote code execution vulnerability that could be exploited to run arbitrary shell commands. It was addressed in late October 2023.
The security defect has since come under heavy exploitation, with multiple threat actors leveraging it to deploy a wide range of payloads, including HelloKitty ransomware, Linux rootkits, GoTitan botnet malware, and Godzilla web shell.
