Researchers from Red Canary report that hackers are using a new Linux malware called DripDropper. For these attacks, the criminals exploit a critical vulnerability in the open-source Apache ActiveMQ software and then patch the bug they exploited.
In their attacks, the threat actors are exploiting the old RCE vulnerability CVE-2023-46604, which scored 10 out of 10 on the CVSS scale and is rated critical. As a reminder, this bug was discovered and fixed in late October 2023. The issue allows attackers to execute arbitrary shell commands by leveraging serialized class types in the OpenWire protocol.
In the latest attacks, hackers install a backdoor on compromised systems and upload two Java Archive (JAR) files that effectively close the original vulnerability. Patching the bug after infection helps the attackers hide what’s happening from vulnerability scanners.
“This behavior is highly unusual, and we observe it extremely rarely,” the Red Canary team says. “In the past, we’ve seen this only once. Most criminals follow a ‘plug in and go’ approach; they rarely use such sophisticated tricks.”
Hackers gain access to victims’ systems using the Sliver implant (a legitimate tool for pentesters that is often used by hackers), using it to modify the target machine’s sshd configuration file and obtain root access. They then deploy DripDropper — an encrypted ELF built with PyInstaller — which connects to a Dropbox account controlled by the attackers and uses it to manage the compromised Linux servers.
Experts note that DripDropper is password-protected, which complicates access and analysis of the malware.
“The behavior of this file varies from case to case — from monitoring processes to reaching out to Dropbox for further instructions,” the Red Canary team reports. “DripDropper ensures persistent execution of the downloaded file by modifying the 0anacron file located in each /etc/cron.*/ directory. It also typically alters existing SSH-related configuration files, including changing the default login shell for the user account ‘games’ to /bin/sh. This presumably prepares the system by creating additional persistent access via the ‘games’ account, allowing attackers to execute shell commands.”
After installing the malware and patching the vulnerability, the attackers deliver new payloads into the system. These can include various infostealers, ransomware, or network access tools that hackers can use to move laterally across the network and infect other machines.
Researchers note that, in theory, CVE-2023-46604 shouldn’t be an issue in 2025, since it was fixed two years ago. However, not everyone applies patches promptly, and vendors aren’t helping matters. For example, Oracle released a patch for this vulnerability only in January of this year, even though experts repeatedly warned about attacks exploiting it.