A new sophisticated attack campaign targeting Apache Tomcat servers has emerged, with attackers deploying encrypted and encoded payloads designed to run on both Windows and Linux systems.
The attack chain begins with brute-force attempts against Tomcat management consoles using commonly weak credentials, such as username “Tomcat” and password “123456” to gain initial access to vulnerable servers.
Security researchers have discovered that it took just 30 hours for malicious actors to exploit a newly identified vulnerability in Apache Tomcat.
Once compromised, the servers are quickly weaponized to steal SSH credentials, establish persistence, and hijack resources for cryptocurrency mining operations, demonstrating the attackers’ efficiency in leveraging newly discovered security flaws.
Aquasec security researchers noted this campaign, dubbed “Tomcat Campaign 25′,” noting that the malware shows signs of being relatively new.
.webp)
Code snippets within the malware suggest possible connections to Chinese-speaking threat actors, though this could potentially be a misdirection technique employed by the attackers to obscure their true origin.
After successfully guessing credentials on the Apache Tomcat management console, the attackers upload Java-based web shells that enable them to execute arbitrary code on the infected servers.
These web shells serve as backdoor loaders and establish persistence mechanisms that allow attackers to maintain access even after system reboots.
The initial attack phase deploys two malicious JSP files. The first script functions as a backdoor loader, while the second handles persistence and privilege escalation.
The web shells download additional payloads from domains registered as recently as February 2025, indicating this is a relatively new operation.
A particularly notable technique used by the attackers involves hiding their secondary payload behind a misleading 404 error page.
When visiting the malicious website https://www.dbliker.top/w, users see what appears to be a standard “Page Not Found” error, while the actual malicious payload is concealed within the HTML code.
.webp)
The payload contains sophisticated obfuscation techniques, including multiple layers of encoding. After execution, the malware searches for SSH credentials with commands like:
KEYS=$(find ~/ /root /home -maxdepth 2 -name 'id_rsa*'|grep -vw pub)Once extracted, these credentials enable lateral movement throughout the victim’s network.
The malware also deploys a cryptominer that connects to mining pools, effectively hijacking server resources as seen in Figure 1, which illustrates the complete attack flow.
The malware demonstrates advanced evasion capabilities, masquerading as legitimate kernel processes with names like “[cpuhp/0]” to avoid detection while optimizing CPU consumption for more efficient cryptocurrency mining operations.
Powered by
