{ "id": "e8248776-0a1e-4faf-a801-b451339bdaac", "created_at": "2026-04-06T00:14:13.718545Z", "updated_at": "2026-04-10T03:27:04.750619Z", "deleted_at": null, "sha1_hash": "3358b83deb8f0749da9bb8c7d5a27acd3fedfec7", "title": "Hadooken Malware Targets Weblogic Applications", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4546207, "plain_text": "Hadooken Malware Targets Weblogic Applications\r\nBy Assaf Morag\r\nPublished: 2024-09-12 · Archived: 2026-04-05 20:22:47 UTC\r\nAqua Nautilus researchers identified a new Linux malware targeting Weblogic servers. The main payload calls\r\nitself Hadooken which we think is referring to the attack “surge fist” in the Street Fighter series. When Hadooken\r\nis executed, it drops a Tsunami malware and deploys a cryptominer. In this blog, we explain the malware, its\r\ncomponents, and how we detected it.\r\nAbout Oracle Weblogic server \r\nWebLogic Server is an enterprise-level Java EE application server developed by Oracle, used for building,\r\ndeploying, and managing large-scale, distributed applications. It’s commonly used in banking, e-commerce, and\r\nbusiness-critical systems due to its support for Java technologies, transaction management, and scalability.\r\nHowever, WebLogic is a frequent target for cyberattacks due to vulnerabilities such as deserialization flaws and\r\nimproper access controls. Misconfigurations, like weak credentials or exposed admin consoles, can lead to remote\r\ncode execution (RCE), privilege escalation, and data breaches if not properly patched or secured.  \r\nThe Attack Flow \r\nOur Weblogic honeypots expose both vulnerabilities and a weak password. In this case the threat actor exploited\r\nthe weak password to gain initial access and gain remote code execution.  \r\nBelow you can see the entire attack flow: \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 1 of 13\n\nFigure 1: The entire attack flow\r\nIn figure 2 below you can see the malicious remote code executed after the initial access. The primary payload is\r\ndownloaded; By downloading two scripts which do almost the same thing, a shell script called ‘c’ and a Python\r\nscript called ‘y’.  \r\nFigure 2: The malicious remote code executed\r\nIn figure 3 below, you can see decoded base64 part from the initial payload. So, it looks like the threat actors are\r\ntrying to use Python should the ‘c’ shell script won’t run on the server they just attacked. \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 2 of 13\n\nFigure 3: The encoded snippet in figure 2\r\nAs illustrated below, the Python script (‘y’), is attempting to download a malware called Hadooken (MD5:\r\ncdf3fce392df6fbb3448c5d26c8d053e) preferably into a non-persistent temporary directory. This Python code\r\niterates over several paths, trying to download and run the Hadooken malware and then delete the file. \r\nFigure 4: The Python script ‘y’\r\nThe shell script is downloading the Hadooken malware only to ‘/tmp’ directory, executes it and then delete it. \r\nFigure 5: Downloading, executing and deleting Hadooken malware\r\nIn addition, the shell script version attempts to iterate over various directories containing SSH data (such as user\r\ncredentials, host information, and secrets) and uses this information to attack known servers. It then moves\r\nlaterally across the organization or connected environments to further spread the Hadooken malware. \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 3 of 13\n\nFigure 6: Seeking for SSH data and attacking known hosts\r\nLastly, it clears logs. \r\nFigure 7: Log deletion\r\nThe Hadooken malware itself contains both a cryptominer and Tsunami malware. When Hadooken malware is\r\nexecuted, it drops two elf files. The first file is a packed cryptominer (MD5:\r\nb9f096559e923787ebb1288c93ce2902) dropped into 3 paths under 3 different names: ‘/usr/bin/crondr ‘,\r\n‘/usr/bin/bprofr’ and ‘/mnt/-java’.  \r\nAfter unpacking the MD5 of the cryptominer is 9bea7389b633c331e706995ed4b3999c.  \r\nThe second file is a Tsunami malware (MD5: 8eef5aa6fa9859c71b55c1039f02d2e6), after a random name is\r\ngenerated, it is dropped to ‘/tmp/\u003c\u003crandom\u003e\u003e’. We haven’t seen any indication that the attacker is using the\r\nTsunami malware during the attack. Nevertheless, it could be used later on during the attack. \r\nIn addition, the malware is creating multiple cronjobs to maintain persistence. By creating cronjobs with random\r\nnames in various frequencies (hourly, daily, weekly and monthly), by saving the execution script under different\r\ncron directories:  \r\n‘/etc/cron.\u003c\u003cPeriod\u003e\u003e/\u003c\u003cRandom String\u003e\u003e’.  \r\nBelow you can see that it is renaming the cryptominer (‘crondr’) as ‘-bash’ and executing it. \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 4 of 13\n\nFigure 8: The cronjob is executing periodically the cryptominer ‘crondr’\r\nAdditional Threat Intelligence \r\nTwo IP addresses are used to download Hadooken malware (89.185.85.102 and 185.174.136.204). The first one\r\n(89.185.85.102) is still active, it is registered in Germany under the hosting company ‘Aeza International LTD’. In\r\nthe past this IP address was linked to TeamTNT and Gang 8220, but this weak link cannot attribute this attack to\r\nany of these threat actors. The second IP address (185.174.136.204) is inactive and registered in Russia under the\r\nhosting company ‘AEZA GROUP Ltd’. \r\nOn server 89.185.85.102 we also found a Powershell named b.ps1 (MD5: c1897ea9457343bd8e73f98a1d85a38f),\r\nwhich distributes the Windows Ransomware ‘Mallox’ (MD5: 4a12098c3799ce17d6d59df86ed1a5b6). There are\r\nsome reports that this IP address is used to disseminate this ransomware, thus we can assume that the threat actors\r\nis targeting both Windows endpoints to execute a ransomware attack, but also Linux servers to target software\r\noften used by big organizations to launch backdoors and cryptominers. \r\nFigure 9: The Powershell b.ps1\r\nIt’s worth mentioning that during our static analysis of the Hadooken binary we found some links to ransomware\r\nRHOMBUS and NoEscape. But the dynamic analysis showed that there was no use in this code. It could be the\r\nthreat actor will introduce to this attack to a Linux ransomware as well, or it is already introduced if the malware\r\nruns on the system longer than a sandbox execution. \r\nA search in Shodan (a search engine for finding internet-connected devices and systems) suggests that there are\r\nover 230K internet connected Weblogic servers. A further analysis shows that most of them are protected, which is\r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 5 of 13\n\nvery good. We saw a few hundred internet-connected, Weblogic server administration consoles. These may be\r\nexposed to attacks that exploit vulnerabilities and misconfigurations.  \r\nMapping the attack to the MITRE ATT\u0026CK Framework \r\nOur investigation showed that the attackers have been using some common techniques throughout the attack. Here\r\nwe map each component of the attack to the corresponding techniques of the MITRE ATT\u0026CK framework: \r\nInitial Access \r\nExploit Public-Facing Application: Exploiting vulnerable WebLogic servers by taking advantage of weak\r\ncredentials to gain access. \r\nExecution \r\nCommand and Scripting Interpreter – Unix Shell: The use of shell script (`c`) for malicious execution. \r\nCommand and Scripting Interpreter – Python: The use of Python script (`y`) for malicious execution. \r\nCommand and Scripting Interpreter – PowerShell: PowerShell script `b.ps1` used to distribute malware\r\n(Mallox ransomware). \r\nPersistence \r\nCreate or Modify System Process – Cron: Use of cron jobs to maintain persistence by executing malicious\r\npayloads periodically. \r\nDefense Evasion \r\nMasquerading – Task or Service: Use of known names such as -java, -bash. \r\nObfuscated Files or Information: Use of base64-encoded payloads to avoid detection. \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 6 of 13\n\nIndicator Removal on Host: Deleting logs after executing malicious activities. \r\nCredentials Access \r\nBrute Force: The initial access is gained via successful brute force into the Weblogic administration panel. \r\nLateral Movement \r\nRemote Service Session Hijacking - SSH Hijacking: Iterating over SSH keys to move laterally across the\r\nnetwork. \r\nImpact \r\nResource Hijacking: Running a cryptominer as part of the Hadooken malware. \r\nData Encrypted for Impact: Potential use of ransomware like RHOMBUS and NoEscape in future versions\r\nof the attack. \r\nDetection and Mitigation \r\nIn this blog we explained about Hadooken malware and how it exploited a misconfiguration to gain initial access\r\nto our honeypot Weblogic server.  There are several tools and best practices to help find and prevent\r\nmisconfigurations in cloud native development. These tools typically focus on areas such as infrastructure as code\r\n(IaC), container security, Kubernetes, cloud service configurations, and runtime environments.   \r\n1. Infrastructure as Code (IaC) Scanning Tools: These tools (like Aqua Trivy) analyze IaC templates like\r\nTerraform, CloudFormation, or Kubernetes YAML files for potential misconfigurations before deployment.\r\n2. Cloud Security Posture Management (CSPM) Tools: CSPM tools (such as in the Aqua-Orca integrated\r\noffering) are used to scan cloud configurations for potential misconfigurations, compliance violations, or\r\nsecurity risks across various cloud services (e.g., AWS, Azure, GCP).\r\n3. Kubernetes Security and Configuration Tools: Kubernetes clusters are a critical part of cloud-native\r\narchitectures, and tools exist to scan for potential misconfigurations in clusters, pods, and deployments. For\r\ninstance:\r\n1. Trivy: Scans Kubernetes clusters for compliance with security best practices, including\r\nmisconfiguration, hardening, cluster vulnerabilities and more. Also checks compliance with CIS\r\n(Center of Internet Security) Kubernetes benchmarks and NSA (National Security Agency) security\r\nguidelines.\r\n2. Kube-Bench: Checks whether Kubernetes is deployed securely by running the CIS (Center for\r\nInternet Security) Kubernetes Benchmark.\r\n4. Container Security Tools: Containers are at the heart of cloud-native development, and their\r\nconfigurations, including Docker files and container images, need to be checked for security flaws. Aqua\r\nTrivy is a simple and comprehensive vulnerability scanner for container images and file systems, checking\r\nfor misconfigurations and vulnerabilities.\r\n5. Runtime Security Tools: These tools monitor running cloud-native applications and services to detect\r\nmisconfigurations, anomalies, or suspicious behavior in real time. Aqua Tracee is an eBPF based runtime\r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 7 of 13\n\nsecurity tool that monitors Linux environments including Kubernetes and containerized environments for\r\nruntime security threats. \r\nThe Aqua Platform is a single, integrated solution that enables organizations to secure every cloud native\r\napplication everywhere. The platform protects cloud native applications from known, unknown and unexpected\r\nthreats, such as misconfigurations and a newly discovered malware in this case. Aqua combines proactive and\r\nreactive security capabilities with context from the code commit to runtime stages. \r\nThe Aqua Platform includes a single, universal scanner powered by Aqua Trivy to detect known vulnerabilities,\r\nconcealed malware, hidden secrets, configuration errors, and open-source license issues. In runtime, Aqua can\r\ndetect and alert if a suspicious or malicious action is taking place. In this instance, Aqua discovered 16 suspicious\r\nincidents illustrating various malicious milestones during the attack recorded on our honeypot. As you can see in\r\nFigure 10 below, Aqua detected indications of drift, file unpacking, and cryptominer execution. \r\nFigure 10: Incidents view in the Aqua Platform\r\nWhen carefully observing the timeline preceded the cryptomining execution, we can see just like we explain\r\nabove, Hadooken malware drops ‘/mnt/-java’. You can see in figure 11 below, a detection of drift. When -java is\r\nthe process name and below in the raw data you can see the execution command.  \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 8 of 13\n\nFigure 11: Timeline view in the Aqua Platform\r\nAnother detection on this timeline is the unpacking of -java right after the execution. \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 9 of 13\n\nFigure 12: Timeline view in the Aqua Platform\r\nIn figure 13 below we can also observe how -java copies itself and saves itself under other different paths. \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 10 of 13\n\nFigure 13: Timeline view in the Aqua Platform\r\nIn the Aqua Platform, you can observe the audit logs which is helpful for incident response teams to continue their\r\ninvestigation into breaches. \r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 11 of 13\n\nFigure 14: Audit logs in the Aqua Platform\r\nIndications of Compromise (IOCs)\r\nType Value Comment\r\nIP Addresses\r\nIP Addresses 185.174.136.204 Attacker IP\r\nIP Addresses 89.185.85.102 Attacker IP\r\nFiles\r\nBinary file MD5: cdf3fce392df6fbb3448c5d26c8d053e Hadooken malware\r\nBinary file MD5: 4a12098c3799ce17d6d59df86ed1a5b6 Mallox malware\r\nBinary file MD5: b9f096559e923787ebb1288c93ce2902 Packed Cryptominer\r\nBinary file MD5: 9bea7389b633c331e706995ed4b3999c Unpacked Cryptominer\r\nBinary file MD5: 8eef5aa6fa9859c71b55c1039f02d2e6 Tsunami malware\r\nPowershell MD5: c1897ea9457343bd8e73f98a1d85a38f b.ps1\r\nShell script MD5: 249871cb1c396241c9fcd0fd8f9ad2ae C\r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 12 of 13\n\nType Value Comment\r\nPython script MD5: 73d96a4316182cd6417bdab86d4df1fc Y\r\nAssaf is the Director of Threat Intelligence at Aqua Nautilus. He is responsible of acquiring threat intelligence\r\nrelated to software development life cycle in cloud native environments, supports the team's data needs, and helps\r\nAqua and the ecosystem remain at the forefront of emerging threats and protective methodologies. His research\r\nhas been featured in leading information security publications and journals worldwide, and he has presented at\r\nleading cybersecurity conferences. Notably, Assaf has also contributed to the development of the new MITRE\r\nATT\u0026CK Container Framework.\r\nAssaf is leading an O’Reilly course, focusing on cyber threat intelligence in cloud-native environments. The\r\ncourse covers both theoretical concepts and practical applications, providing valuable insights into the unique\r\nchallenges and strategies associated with securing cloud-native infrastructures.\r\nSource: https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nhttps://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.aquasec.com/blog/hadooken-malware-targets-weblogic-applications/" ], "report_names": [ "hadooken-malware-targets-weblogic-applications" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "f809bfcb-b200-4988-80a8-be78ef6a52ef", "created_at": "2023-01-06T13:46:39.186988Z", "updated_at": "2026-04-10T02:00:03.240002Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "Adept Libra" ], "source_name": "MISPGALAXY:TeamTNT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3ca592f-0669-49bd-ab5c-310007ab2fb4", "created_at": "2022-10-25T15:50:23.334495Z", "updated_at": "2026-04-10T02:00:05.264841Z", "deleted_at": null, "main_name": "TeamTNT", "aliases": [ "TeamTNT" ], "source_name": "MITRE:TeamTNT", "tools": [ "Peirates", "MimiPenguin", "LaZagne", "Hildegard" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775791624, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3358b83deb8f0749da9bb8c7d5a27acd3fedfec7.pdf", "text": "https://archive.orkl.eu/3358b83deb8f0749da9bb8c7d5a27acd3fedfec7.txt", "img": "https://archive.orkl.eu/3358b83deb8f0749da9bb8c7d5a27acd3fedfec7.jpg" } }