Date: 02/24/2026
Severity: High
Summary
The intrusion started in mid-February 2024 when a threat actor exploited CVE-2023-46604 on an exposed Apache ActiveMQ server. By leveraging a Java Spring class and a custom Spring bean XML configuration, the attacker achieved remote code execution. The malicious XML executed a command that used Windows CertUtil to download a payload from a remote server. The payload was successfully retrieved and launched on the compromised beachhead host, revealing itself as a Metasploit stager. Roughly 40 minutes after the initial compromise, further malicious activity was observed. The attacker executed the GetSystem command to gain SYSTEM privileges and then accessed LSASS process memory via the Metasploit process.
Indicators of Compromise (IOC) List
IP Address : | 166.62.100.52 |
Hash : | C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE
8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6
87BFB05057F215659CC801750118900145F8A22FA93AC4C6E1BFD81AA98B0A55
722FFF8F38197D1449DF500AE31A95BB34A6DDABA56834B13EAAFF2B0F9F1C8B
D9C888BDE81F19F3DC4F050D184FFA6470F1A93A2B3B10B3CC2D246574F56841
|
Anydesk Client ID : | 1148037084 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | dstipaddress IN ("166.62.100.52") or srcipaddress IN ("166.62.100.52") |
Detection Query 2 : | sha256hash IN ("722FFF8F38197D1449DF500AE31A95BB34A6DDABA56834B13EAAFF2B0F9F1C8B","87BFB05057F215659CC801750118900145F8A22FA93AC4C6E1BFD81AA98B0A55","C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE","8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6","D9C888BDE81F19F3DC4F050D184FFA6470F1A93A2B3B10B3CC2D246574F56841")
|
Reference:
https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/