If you experience any difficulty in accessing content on our website, please contact us at 1-866-333-8917 or email us at support@chicagovps.net and we will make every effort to assist you.

By
August 20, 2025

Exploitation of Apache ActiveMQ Flaw: DripDropper Malware Targets Cloud Linux Environments

 

Threat actors have been exploiting a security flaw in Apache ActiveMQ, which has been unaddressed for nearly two years, to gain persistent access to cloud-based Linux systems and deploy a malware known as DripDropper. Remarkably, these attackers have been seen patching the very vulnerability they exploited, preventing further access by others and evading detection, according to a report from Red Canary.

The attackers utilized a maximum-severity flaw in Apache ActiveMQ (CVE-2023-46604), which allows for remote code execution (RCE) and has a CVSS score of 10.0. This vulnerability was finally addressed in late October 2023, but it has been heavily exploited, leading to various significant payloads, including various forms of ransomware and malware like HelloKitty and Godzilla web shell.

In one instance of the attack, the adversaries were found modifying SSH configurations to enable root logins, which gave them elevated access to install DripDropper, a PyInstaller executable that requires a password to run, thus complicating analysis. This malware communicated with a Dropbox account controlled by the attackers to blend in with normal network activity and avoid detection.

DripDropper functions as a downloader, retrieving files that execute various actions, such as process monitoring and further communications via Dropbox. To maintain persistence, it modifies cron jobs in /etc/cron.* directories. A notable part of the attack involved the adversaries downloading patches for the original vulnerability from Apache Maven to close the backdoor they had created, demonstrating they had established alternative methods of persistent access.

Although rare, the tactic of patching an exploited vulnerability is not unprecedented. Recently, a similar approach was noted by France’s national cybersecurity agency, further emphasizing the need for organizations to apply security patches promptly and monitor for anomalous activities.

Organizations are reminded to maintain robust security protocols, including config adjustments, timely patch implementations, and strict access controls to internal systems to safeguard against such threats.


ChicagoVPS is your gateway to unparalleled hosting solutions. Our state-of-the-art datacenters and powerful network ensures lightning-fast speeds and uninterrupted connectivity for your websites and applications. Whether you’re a startup looking for scalable resources or an enterprise in need of enterprise-grade hosting, our range of plans and customizable solutions guarantee a perfect fit. Trust in ChicagoVPS to deliver excellence, combining unmatched reliability and top-tier support.

For Inquiries or to receive a personalized quote, please reach out to us through our contact form here or email us at sales@chicagovps.net.

Subscribe Email

Top