{ "id": "8f6cb144-2c69-41bb-8ce8-30e18d9628e4", "created_at": "2026-04-06T00:12:24.633317Z", "updated_at": "2026-04-10T13:12:09.492978Z", "deleted_at": null, "sha1_hash": "1f19d02f56c7877c675714f6f03bbd5ba1e929aa", "title": "New Linux malware Hadooken targets Oracle WebLogic servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1643926, "plain_text": "New Linux malware Hadooken targets Oracle WebLogic servers\r\nBy Bill Toulas\r\nPublished: 2024-09-13 · Archived: 2026-04-05 14:32:41 UTC\r\nHackers are targeting Oracle WebLogic servers to infect them with a new Linux malware named \"Hadooken,\" which\r\nlaunches a cryptominer and a tool for distributed denial-of-service (DDoS) attacks.\r\nThe access obtained may also be used to execute ransomware attacks on Windows systems.\r\nResearchers at container security solution company Aqua Security observed such an attack on a honeypot, which the threat\r\nactor breached due to weak credentials. \r\nhttps://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nOracle WebLogic Server is an enterprise-level Java EE application server used for building, deploying, and managing large-scale, distributed applications.\r\nThe product is commonly used in banking and financial services, e-commerce, telecommunications, government\r\norganizations, and public services.\r\nAttackers target WebLogic due to its popularity in business-critical environments that typically enjoy rich processing\r\nresources, making them ideal for cryptomining and DDoS attacks.\r\nHadooken hitting hard\r\nOnce the attackers breach an environment and get sufficient privileges, they download a shell script named \"c\" and a Python\r\nscript named \"y.\"\r\nThe two scripts both drop Hadooken, but the shell code also tries to look for SSH data in various directories and uses the\r\ninfo to attack known servers, the researchers say.\r\nAdditionally, 'c' moves laterally on the network to distribute Hadooken.\r\nSearching known hosts for SSH keys\r\nSource: Aquasec\r\nHadooken, in turn, drops and executes a cryptominer and the Tsunami malware and then sets up multiple cron jobs with\r\nrandomized names and payloads execution frequencies.\r\nTsunami is a Linux DDoS botnet malware that infects vulnerable SSH servers through brute-force attacks on weak\r\npasswords.\r\nAttackers have previously used Tsunami to launch DDoS attacks and remote control on compromised servers, while it has\r\nbeen seen again deployed alongside Monero miners.\r\nAqua Security researchers highlight the practice of Hadooken renaining the malicious services as '-bash' or '-java', to mimic\r\nlegitimate processes and blend with normal operations.\r\nOnce this process is completed, system logs are wiped to hide the signs of malicious activity is removed, making discovery\r\nand forensic analysis harder.\r\nStatic analysis of the Hadooken binary uncovered links to the RHOMBUS and NoEscape ransomware families, though no\r\nransomware modules were deployed in the observed attacks.\r\nThe researchers hypothesize that the the server access may be used to deploy ransomware under certain conditions, like after\r\nthe operators carry out manual checks. It's also possible that the ability will be introduced in a future release.\r\nhttps://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/\r\nPage 3 of 5\n\nHadooken attack overview\r\nSource: Aquasec\r\nFurthermore, on one of the servers delivering Hadooken (89.185.85[.]102), the researchers discovered a PowerShell script\r\nthat downloaded the Mallox ransomware for Windows.\r\nThere are some reports that this IP address is used to disseminate this ransomware, thus we can assume that the threat actors\r\nis targeting both Windows endpoints to execute a ransomware attack, but also Linux servers to target software often used by\r\nbig organizations to launch backdoors and cryptominers - Aqua Security\r\nBased on the researchers' findings using the Shodan search engine for internet-connected devices, there are more\r\nthan 230,000 Weblogic servers on the public web.\r\nA comprehensive list of defense measures and mitigations is present in the final section of Aqua Security's report.\r\nhttps://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/\r\nhttps://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-linux-malware-hadooken-targets-oracle-weblogic-servers/" ], "report_names": [ "new-linux-malware-hadooken-targets-oracle-weblogic-servers" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434344, "ts_updated_at": 1775826729, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1f19d02f56c7877c675714f6f03bbd5ba1e929aa.pdf", "text": "https://archive.orkl.eu/1f19d02f56c7877c675714f6f03bbd5ba1e929aa.txt", "img": "https://archive.orkl.eu/1f19d02f56c7877c675714f6f03bbd5ba1e929aa.jpg" } }