{ "id": "69486b96-e6b9-401d-bd91-d8db5a2a3b7e", "created_at": "2026-04-06T01:30:56.314156Z", "updated_at": "2026-04-10T03:34:59.789184Z", "deleted_at": null, "sha1_hash": "15124cd241e97aea5ae626b15070f6ca8fe9d6a7", "title": "GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5240928, "plain_text": "GoTitan Botnet - Ongoing Exploitation on Apache ActiveMQ |\r\nFortiGuard Labs\r\nBy Cara Lin\r\nPublished: 2023-11-28 · Archived: 2026-04-06 00:48:11 UTC\r\nAffected Platforms: Any OS running Apache Active MQ versions prior to 5.15.16, 5.16.7, 5.17.6, and 5.18.3\r\nImpacted Parties: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: Critical\r\nThis past October, Apache issued a critical advisory addressing CVE-2023-46604, a vulnerability involving the\r\ndeserialization of untrusted data in Apache. On November 2, the Cybersecurity and Infrastructure Security Agency\r\n(CISA) added CVE-2023-46604 to its known exploited list, KEV Catalog, indicating this vulnerability's high risk\r\nand impact. Fortiguard Labs also released an outbreak alert and a threat signal report about the active exploitation\r\nof CVE-2023-46604, providing more details and recommendations for mitigation.\r\nTechnical details and proof-of-concept (PoC) code for CVE-2023-46604 are publicly available, making it easier\r\nfor attackers to exploit this vulnerability. In recent weeks, Fortiguard Labs has detected numerous threat actors\r\nexploiting CVE-2023-46604 to disseminate diverse strains of malware. Our analysis has unveiled the emergence\r\nof a newly discovered Golang-based botnet named GoTitan and a .NET program called \"PrCtrl Rat,\" equipped\r\nwith remote control capabilities. Additionally, we have identified other well-known malware and tools in play.\r\nInitially developed as an advanced penetration testing tool and red teaming framework, Sliver supports various\r\ncallback protocols, including DNS, TCP, and HTTP(S), streamlining egress processes. Kinsing has solidified its\r\nposition in cryptojacking operations, showcasing its ability to quickly capitalize on newly discovered\r\nvulnerabilities. Meanwhile, Ddostf, with a history dating back to 2016, continues to exhibit its proficiency in\r\nexecuting targeted Distributed Denial of Service (DDoS) attacks.\r\nThis article will detail the exploitation and provide insights into the malware associated with these recent attacks.\r\nExploitation\r\nThe attacker initiates a connection to ActiveMQ through the OpenWire protocol, typically on port 61616. By\r\ntransmitting a crafted packet, the attacker triggers the system to unmarshal a class under their control. This action,\r\nin turn, prompts the vulnerable server to retrieve and load a class configuration XML file from a specified remote\r\nURL, requiring the presence of a predefined XML file hosted externally.\r\nThe known exploitation of this vulnerability involves leveraging the “ClassPathXmlApplicationContext” to load a\r\nmalicious XML application configuration file from a network location via HTTP. Figure 1 shows the captured\r\nattacking traffic. The malicious XML file defines the arbitrary code intended to execute on the compromised\r\nmachine. Attackers can set parameters like “cmd” or “bash” to achieve code execution on the remote vulnerable\r\nserver (Figure 2).\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 1 of 21\n\nIn the following sections, we will explain how the malware works and what it does on infected systems.\r\nFigure 1: Attacking traffic for CVE-2023-46604\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 2 of 21\n\nFigure 2: Malicious XML files\r\nGoTitan\r\nFigure 3: GoTitan's XML file\r\nGoTitan is a new botnet discovered earlier this month. It is written in the Go programming language and is\r\ndownloaded from a malicious URL, “hxxp://91.92.242.14/main-linux-amd64s”. The attacker only provides\r\nbinaries for x64 architectures, and the malware performs some checks before running. It also creates a file named\r\n\"c.log\" that records the execution time and program status. This file seems to be a debug log for the developer,\r\nwhich suggests that GoTitan is still in an early stage of development.\r\nFigure 4: Save the log file\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 3 of 21\n\nIt replicates itself as “/.mod” within the system and establishes a recurring execution by registering in the cron. It\r\nthen retrieves the C2 IP address and gathers essential information about the compromised endpoint, including\r\narchitecture, memory, and CPU details. Compiling all the collected data using “\u003c==\u003e” as separators, it transmits\r\nits collected information to the C2 server. The C2 message initiates with the hard coded string “Titan\u003c==\u003e”.\r\nFigure 5: Construct C2 message\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 4 of 21\n\nFigure 6: C2 traffic session for GoTitan\r\nGoTitan communicates with its C2 server by sending “\\xFE\\xFE” as a heartbeat signal and waiting for further\r\ninstructions. When it receives a command, it passes it to a function named “handle_socket_func2” that determines\r\nan attack method. GoTitan supports ten different methods of launching distributed denial-of-service (DDoS)\r\nattacks: UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.\r\nSliver\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 5 of 21\n\nFigure 7: Sliver's XML file\r\nSliver, an open-source penetration testing tool developed in the Go language and available on GitHub, possesses\r\nthe potential for misuse when wielded by threat actors due to its diverse features catering to each stage of\r\npenetration testing. Threat actors can leverage Sliver to compromise and control multiple targets across various\r\nplatforms and architectures. The tool enables the generation of customized implants designed to elude detection,\r\nallowing for the execution of commands, file uploads and downloads, screenshot capture, and more on infected\r\nsystems.\r\nWhen communicating with the C2 server at “91[.]92[.]240[.]41” via HTTP requests, Sliver dynamically selects\r\ndecoders for C2 messages based on parameters in the URI. Additionally, Sliver supports various encoders,\r\nincluding Base32, Base58, Base64, English encoder, Gzip, Hex, and PNG. The encoded C2 communication in\r\nHTTP protocol is shown in Figure 8.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 6 of 21\n\nFigure 8: C2 session for Sliver\r\nPrCtrl Rat\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 7 of 21\n\nFigure 9: PrCtrl Rat’s XML file\r\nThe attacker retrieves the execution file from “hxxp://199[.]231[.]186[.]249:8000/unifo.dat” and stores it as\r\n“svc_veeam.exe”. The file 'unifo.dat' is a .Net framework program initially labeled as “prcli.exe” that was created\r\nin August and still spread via CVE-2023-46604. Figure 10 shows the PDB path and detailed information.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 8 of 21\n\nFigure 10: Information for uninfo.dat\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 9 of 21\n\nFor persistence, it adds “Security Service” with the current process into the registry\r\n“HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run.”\r\nIt then starts the connection to C2 server “173[.]214[.]167[.]155.” Once the command is received from a remote\r\nserver, it checks for a length of four. If not, it exits the program. It supports five commands:\r\ncmdc: Running cmd.exe with a specific command and returning the result to the server.\r\nfile: Get file system information on a target system, such as drives or the directory, and files.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 10 of 21\n\nupld: Upload file.\r\ndnld: Download file.\r\nping: Heartbeat.\r\nAs of this writing, we have yet to receive any messages from the server, and the motive behind disseminating this\r\ntool remains unclear. However, once it infiltrates a user's environment, the remote server gains control over the\r\nsystem.\r\nKinsing\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 11 of 21\n\nFigure 11: Kinsing's XML file\r\nKinsing fetches the bash script from “194[.]38[.]22[.]53/acb.sh.” It serves the following purposes:\r\nSystem Configuration: Modifies system parameters, such as disabling the firewall, flushing iptables rules,\r\nand turning off the NMI watchdog.\r\nDependency Check: Verifies the existence of curl or wget and installs them if they are absent.\r\nProcess Cleanup: Terminates processes associated with specific executable names and competing miners.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 12 of 21\n\nBinary Download and Verification: Downloads a main binary and a shared object file and then verifies the\r\nintegrity of the downloaded binary using MD5 checksum.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 13 of 21\n\nSystem Configuration: Creates a system service configuration file for the downloaded binary.\r\nCronjob Setting: Removes specific entries from the crontab related to known malicious activities. Adds a\r\nnew cronjob to periodically execute a command fetched from a remote server\r\nhxxp://185[.]122[.]204[.]197/acb.sh\r\nCleanup: Clears command history and removes bash history files.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 14 of 21\n\nDdostf\r\nFigure 12: Ddostf's XML file\r\nThe batch script used by Ddostf is retrieved from “hxxp://42[.]121[.]111[.]112:81/xml.sh.” It configures the\r\nhistory log with “+o” to prevent the recording of the current session. It then installs curl to download additional\r\nexecution files and eliminate any traces.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 15 of 21\n\nFigure 13: Batch script to deploying Ddostf\r\nThe executable file “tomcat” includes the recognizable string “ddos.tf” and the Base64-encoded string for\r\n“v8.ter.tf.” Its characteristics align with those of a threat actor who had targeted China in 2018.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 16 of 21\n\nFigure 14: Ddostf's binary data\r\nIt first verifies that it has root privilege and that the process is running on the device. It then ensures that it will\r\npersist on the device by executing the command shown below.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 17 of 21\n\nFigure 15: Ddostf's setting\r\nDdostf includes a hard-coded string, “TF-Linux kernel…,” which appends either “SYN-“ or “UDP-“ in its C2\r\nmessage, depending on whether the process runs with root privileges.\r\nFigure 16: Send C2 message\r\nDdostf incorporates 13 attack methods: SYN_Flood, WZSYN_Flood, ICMP_Flood, GET_Flood, GETFT_Flood,\r\nHEAD_Flood, POST_Flood, xzcc_Flood, TCP_Flood, WZTCP_Flood, ack_Flood, WZUDP_Flood, and\r\nUDP_Flood. Additionally, it defines a function called “DNS_Flood,” which is not included in the current switch\r\ncases and is possibly intended for future enhancements.\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 18 of 21\n\nFigure 17: DNS flood function\r\nConclusion\r\nDespite the release of a patch for CVE-2023-46604 over a month ago, threat actors persist in exploiting this\r\nvulnerability to distribute malware on susceptible servers. This blog introduces newly discovered threats,\r\nincluding the Golang-based botnet GoTitan and the .NET program “PrCtrl Rat,” which have emerged as a\r\nconsequence of this exploitation. Additionally, users should remain vigilant against ongoing exploits by Sliver,\r\nKinsing, and Ddostf. It is crucial to prioritize system updates and patching and regularly monitor security\r\nadvisories to effectively mitigate the risk of exploitation.\r\nFortinet Protections\r\nThe malware described in this report are detected and blocked by FortiGuard Antivirus as:\r\nXML/Agent.E2ED!tr\r\nBASH/Miner.BPH!tr\r\nBASH/Agent.5C93!tr\r\nELF/GoTitan.AR!tr\r\nLinux/Sliver.AE!tr\r\nELF/Ddostf.D!tr\r\nMSIL/Agent.F3D5!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 19 of 21\n\ndate protections are protected.\r\nFortinet has also released an IPS signature to proactively protect our customers from the threats contained in the\r\nreport:\r\nCVE-2023-46604: Apache.ActiveMQ.CVE-2023-46604.Code.Execution\r\nThe URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nWe also suggest that organizations use Fortinet’s free NSE training module: NSE 1 – Information Security\r\nAwareness. This module is designed to help end users learn how to identify and protect themselves from phishing\r\nattacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating\r\nmalicious source IP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative\r\ncompetitors, and other global sources that collaborate to provide up-to-date threat intelligence about hostile\r\nsources.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nIP List\r\n185[.]122[.]204[.]197\r\n194[.]38[.]22[.]53\r\n42[.]121[.]111[.]112\r\n91[.]92[.]242[.]14\r\n199[.]231[.]186[.]249\r\n173[.]214[.]167[.]155\r\n91[.]92[.]240[.]41\r\nFiles\r\nf75cb3e540b96cd54a966c512c854c832807e354772ae1a326b758394b01b607\r\ndbf8ba47a5973c86fef32c2d696b09e1930a8384087c62ace1aa5c4084ee1a3f\r\n1a3d9960a1685707f8cc2bc447c88f5c3278454fbf0a35a7959717ad835348cd\r\nd8f55bbbcc20e81e46b9bf78f93b73f002c76a8fcdb4dc2ae21b8609445c14f9\r\n0cc60a0c480e4d898fa77ab501bbd2afaf3f5fb89a2917a31e7f5fdaa6c3879c\r\ned09f95f4b4b482207bb300ff6ec15ed8ca5fdde97af02fa9fbe01adaaf7673b\r\nbfce7938591dd9fa3e1368d7eb86fc7f11e935349437fc11de4f124bbbc16dee\r\nf5a36570506bfaff60b684cd26dde3a64a3db4eaa9da78a1434cfd4b390ef3d5\r\n5acf5ce55678519cd65e001d3f600fa1de288f1cd3e203b4c9439979f4b67175\r\n923f2be3d55fcdab7da5cb2be3c16dfcc1582b83d1e4a831236445a52ca81878\r\nb90abde8f449bbe6bec9495386fab1833c0654f83c7b2f5ebcf5b14743c30600\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 20 of 21\n\nSource: https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nhttps://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/gotitan-botnet-exploitation-on-apache-activemq" ], "report_names": [ "gotitan-botnet-exploitation-on-apache-activemq" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a6c351ea-01f1-4c9b-af75-cfbb3b269ed3", "created_at": "2023-01-06T13:46:39.390649Z", "updated_at": "2026-04-10T02:00:03.311299Z", "deleted_at": null, "main_name": "Kinsing", "aliases": [ "Money Libra" ], "source_name": "MISPGALAXY:Kinsing", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439056, "ts_updated_at": 1775792099, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15124cd241e97aea5ae626b15070f6ca8fe9d6a7.pdf", "text": "https://archive.orkl.eu/15124cd241e97aea5ae626b15070f6ca8fe9d6a7.txt", "img": "https://archive.orkl.eu/15124cd241e97aea5ae626b15070f6ca8fe9d6a7.jpg" } }