The attack chain begins with exploitation of the Apache ActiveMQ RCE vulnerability (CVE-2023-46604) on cloud Linux hosts. Upon gaining access, the attacker installs the Sliver C2 implant and modifies sshd settings to permit root login over SSH, then downloads and executes the DripDropper payload—an encrypted PyInstaller ELF requiring a password to run. DripDropper drops two files: one used for process monitoring or follow-up instructions via Dropbox, and a second that alters SSH configuration, including the login shell of the games user, likely to enable stealthy remote access.
To maintain stealth and evade detection, the attacker uses Cloudflare Tunnels and Dropbox for C2, mimicking legitimate network traffic. In a final step, the adversary downloads official patched JARs from Maven to patch ActiveMQ, effectively hiding the exploit vector and thwarting future scans for the vulnerability.