Hackers Patch Apache ActiveMQ Vulnerability After Exploiting It

Researchers at Red Canary have identified a new Linux malware strain dubbed DripDropper, which is being used in an unusual campaign. In these attacks, hackers exploit a critical vulnerability in Apache ActiveMQ—then patch the very flaw they leveraged.

Exploiting and Closing the Door

The attackers are exploiting an old Remote Code Execution (RCE) vulnerability, CVE-2023-46604, which earned a CVSS score of 10.0 when it was disclosed in October 2023. The bug allows remote execution of arbitrary shell commands through maliciously crafted serialized class types in the OpenWire protocol.

Once they compromise a system, the attackers install a backdoor and upload two Java Archive (JAR) files designed to patch the original flaw. By closing the exploited vulnerability, they effectively hide their presence from routine vulnerability scans.

“This behavior is quite unusual, and we rarely observe anything like it,” said Red Canary researchers. “We have only seen this once before. Most criminals operate on a ‘smash-and-grab’ principle—they rarely employ such sophisticated tricks.”

The DripDropper Malware

Initial access is gained using a Sliver implant, a legitimate red-teaming tool frequently abused by threat actors. Attackers then modify the system’s sshd configuration file to obtain root access before deploying DripDropper.

DripDropper is an encrypted ELF binary compiled with PyInstaller. It communicates with a Dropbox account controlled by the attackers, which they use to manage infected servers. The malware is password-protected, making reverse engineering and analysis more difficult.

“The actions of this file vary from case to case—from monitoring processes to contacting Dropbox for further instructions,” Red Canary explained. “DripDropper maintains persistence by modifying the 0anacron file in every /etc/cron.*/ directory. It also alters existing SSH-related configuration files, such as changing the default login shell for the ‘games’ account to /bin/sh. This likely sets up additional persistent access, giving attackers the ability to execute shell commands.”

Post-Infection Payloads

After establishing persistence and patching the initial vulnerability, attackers deliver secondary payloads. These may include info-stealers, ransomware, or network access tools to facilitate lateral movement and further compromise.

Why Old Bugs Still Matter

In theory, CVE-2023-46604 should no longer pose a threat in 2025—it was patched nearly two years ago. But patch adoption remains inconsistent. Many organizations delay updates, while some vendors are slow to ship fixes.

One example: Oracle only released its patch for this vulnerability in January 2025, long after researchers had warned about active exploitation.