Wednesday, May 7, 2025
HomeCVE/vulnerabilityHackers Actively Exploiting ActiveMQ Vulnerability to Install Malware

Hackers Actively Exploiting ActiveMQ Vulnerability to Install Malware

Published on

SIEM as a Service

Follow Us on Google News

Attackers have been exploiting the Apache ActiveMQ Vulnerability (CVE-2023-46604) to steal data and install malware constantly.

Using the Apache ActiveMQ remote code execution vulnerability, the Andariel threat group was found to be installing malware last month. Their primary targets are national defense, political groups, shipbuilding, energy, telecommunications, ICT firms, universities, and logistics firms.

Researchers have now discovered new attacks that installed Ladon, NetCat, AnyDesk, and z0Miner.

- Advertisement - Google News

Overview of the Apache ActiveMQ Vulnerability

A remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and integration pattern server, is identified as CVE-2023-46604.

“If an unpatched Apache ActiveMQ is externally exposed, the threat actor can execute malicious commands from a remote location and take over the target system,” AhnLab Security Emergency Response Center (ASEC) shared in a report with Cyber Security News.

The vulnerability attack involves manipulating a serialized class type in the OpenWire protocol to instantiate the class in the classpath. When the threat actor sends a modified packet, the susceptible server uses the path (URL) in the packet to load the XML configuration file for the class.

Researchers examine that the latest attacks that have installed malware such as Ladon, NetCat, AnyDesk, and z0Miner.

Ladon:

One of the tools that threat actors who speak Chinese typically employ is Ladon. Ladon provides several features required for the attack procedure. Reverse shell, scanning, privilege escalation, and account credential theft are some of the main characteristics.

Once it was established that a vulnerable version of the Apache ActiveMQ service was being utilized, they downloaded Ladon and executed additional commands using the PowerShell command.

The reverse shell is executed using the ReverseTCP command, and Netcat (nc) was utilized to do this.

Ladon’s GitHub page
Ladon’s GitHub page

AnyDesk & Netcat

Using the TCP/UDP protocol, Netcat is a utility for sending and receiving data to and from specific targets within a network.

It works with both Windows and Linux environments. It may also be said that network managers regularly utilize it because it provides a variety of functions for network testing, but threat actors can also take advantage of it.

Netcat is being installed and executed through a vulnerability attack
Netcat is being installed and executed through a vulnerability attack

The threat actor installed AnyDesk after installing Netcat in the recently discovered attack. AnyDesk was installed, and the setup file was obtained from the original AnyDesk website’s download URL.

Installing AnyDesk using Netcat
Installing AnyDesk using Netcat

“Threat actor would have connected to the infected system and used the password transmitted as the “–set-password” argument upon execution to remotely control the target system,” researchers said.

z0Miner

Attack efforts using XMRig CoinMiner have also been observed recently. The XML configuration file is called “paste.xml,” and it contains information on how to run PowerShell commands using CMD.

The PowerShell script that may be downloaded is simple to use and downloads and executes both the configuration file and XMRig CoinMiner.

PowerShell script that installs XMRig CoinMiner
PowerShell script that installs XMRig CoinMiner

To stop attacks that make use of known vulnerabilities, system administrators need to verify if the Apache ActiveMQ service they are using is one of the vulnerable versions and install the most recent updates.

Finally, caution should be exercised by updating V3 to the most recent version to prevent malware infection in advance.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector...

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its...

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect...