The DripDropper Paradox: Why Attackers Are Patching the Vulnerabilities They Exploit
Experts at Red Canary have uncovered an unusual campaign leveraging a newly identified strain of malware, DripDropper, specifically targeting cloud-based Linux servers. The attackers gained initial access through CVE-2023-46604 in Apache ActiveMQ, after which they established persistence and—paradoxically—applied an official patch to close the very same vulnerability. This counterintuitive move not only helped them erase traces of their intrusion but also locked out rival threat actors, leaving the compromised servers entirely under their control.
Analysts observed reconnaissance commands being executed across dozens of vulnerable hosts. On some, the adversaries deployed remote administration tools—ranging from Sliver to Cloudflare tunnels—to maintain stealthy, long-term connections with their C2 infrastructure. In one incident, they modified sshd configurations to enable root login and launched the DripDropper loader.
DripDropper itself is an ELF binary, packaged with PyInstaller, password-protected, and configured to communicate with the attackers’ Dropbox account via token authentication. Once deployed, it generates additional malicious payloads, persists them through cron jobs, and alters SSH configurations, creating new covert entry points for operators. By exploiting legitimate cloud services such as Dropbox or Telegram for C2 communications, the malware’s traffic blends seamlessly with normal network activity.
The final stage of the attack involves downloading and installing official ActiveMQ JAR patches directly from the Apache Maven repository. In doing so, the adversaries sealed the very flaw they had abused, reducing the likelihood of subsequent compromise by automated scanners or rival actors.
Researchers emphasize that exploitation of CVE-2023-46604 remains widespread despite its age, and continues to be weaponized not only by DripDropper operators but also for deploying TellYouThePass, HelloKitty, and the Kinsing cryptocurrency miner.
To mitigate risks, experts advise organizations to strengthen defenses around Linux environments, particularly in the cloud: employ automated configuration management with Ansible or Puppet, disable root logins, run services under non-privileged accounts, apply patches promptly, and enforce strict network access controls. Equally crucial is log monitoring in cloud environments, which can provide early warning of anomalous behavior.
This case underscores a sobering reality: even a “patched” vulnerability offers no assurance of safety if the fix comes from the adversaries themselves. Rigorous documentation of updates and timely administrative response remain the cornerstone of protecting critical infrastructure.
