A new report from Red Canary Threat Intelligence researchers describes a Linux malware operation dubbed DripDropper that exploits a vulnerability in a widely used software package and then patches it to prevent other attackers from gaining access. The payload targets Apache ActiveMQ via CVE-2023-46604, a flaw for which patches have been available for years but remain unpatched on many systems, according to the research.
The analysis notes that the intrusion begins with the exploitation of the CVE in ActiveMQ. While the vulnerability itself is old, the attackers’ objective is to establish a foothold on cloud servers and maintain stealthy presence in order to retain access for the long term.
Once inside, the adversaries deploy two primary components. First, they install Sliver, a post-exploitation framework that provides covert, unrestricted control over the compromised host. Next, a downloader component named DripDropper connects to an attacker-controlled Dropbox account to retrieve additional instructions. The downloader is encrypted, complicating efforts by defenders to analyze its behavior.
In a striking twist, the attackers then apply a legitimate patch to the vulnerability they exploited, effectively closing the back door they had used to enter. This unusual tactic helps the intruders preserve exclusive control and complicates attribution and remediation efforts for defenders who rely on patch status alone to assess risk.
For persistence, DripDropper also alters system files to enable root logins and ensures its own continued execution. It drops a secondary file with a randomized eight-character name that likewise communicates with the attacker’s Dropbox for remote instructions. The researchers note that using public cloud storage services such as Dropbox is a tactic shared by other malware families, including CHIMNEYSWEEP, Mustang Panda, and WhisperGate.
Red Canary’s findings emphasize that a system appearing patched is not a guarantee of security. A vulnerability scan may show a patch in place but fail to reveal how or by whom it was leveraged. The report advocates a multi-layered security approach, including continuous patch management and thorough monitoring of cloud logs. It also encourages defenders to consult broader vulnerability catalogs, such as the CISA Known Exploited Vulnerabilities (KEV) list, to prioritize remediation strategies, even though external links to KEV are not reproduced here.
Speaking about the case, Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, noted that automated malware patching is exceedingly rare today. He recalled a past incident involving a patch applied to disable autorun functionality and described the broader lesson: if attackers patch faster than an organization, defenders are not patching effectively. Grimes also shared anecdotes from his time consulting with Microsoft on how patches could be manipulated by attackers, underscoring the importance of auto-patching and proactive defense measures to close entry points before exploitation occurs.