{ "id": "8a438837-0861-4b1c-b168-c2693163597e", "created_at": "2026-04-06T00:18:46.265707Z", "updated_at": "2026-04-10T03:37:40.644701Z", "deleted_at": null, "sha1_hash": "cab1d334efc14a7e9238a6349486de0763d4e0ab", "title": "Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) - ASEC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 565951, "plain_text": "Circumstances of the Andariel Group Exploiting an Apache\r\nActiveMQ Vulnerability (CVE-2023-46604) - ASEC\r\nBy ATCP\r\nPublished: 2023-11-16 · Archived: 2026-04-05 14:41:59 UTC\r\nWhile monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center\r\n(ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote\r\ncode execution vulnerability (CVE-2023-46604) to install malware. \r\nThe Andariel threat group usually targets South Korean companies and institutions, and the group is known to be\r\neither in a cooperative relationship of the Lazarus threat group, or a subsidiary group of Lazarus. Their attacks\r\nagainst South Korea were first identified in 2008, and their main targets include national defense, political\r\norganizations, shipbuilding, energy, and telecommunications. South Korean companies and institutions besides\r\nthese that were targeted include universities, logistics, and ICT companies. [1] (This link is only available in\r\nKorean.) \r\nThe Andariel threat group has been employing spear phishing, watering hole, and supply chain attacks from the\r\npast [2]. Recently, cases have been identified where the group exploits a Log4Shell vulnerability [3], target poorly\r\nmanaged MS-SQL servers, or abuse legitimate software. [4] \r\nThere are no direct logs as of now, but it is assumed that the Andariel group is exploiting a remote code execution\r\nvulnerability in Apache ActiveMQ servers to install NukeSped and TigerRat backdoors. This post will provide a\r\nsummary on the cases of attacks against Apache ActiveMQ servers, and the grounds on which the Andariel group\r\nis suspected of abusing these in attacks. \r\n1. Cases of Attacks Exploiting Apache ActiveMQ Vulnerability\r\nCVE-2023-46604 is a remote code execution vulnerability in Apache ActiveMQ, an open-source messaging and\r\nintegration pattern server. If an unpatched Apache ActiveMQ server is exposed externally, the threat actor can\r\nexecute malicious commands remotely and take control over the system. \r\nVarious threat actors have been exploiting this to install malware after information on this vulnerability was\r\nrevealed. One major example is the case of HelloKitty ransomware attacks covered by Rapid7. [5] This case was\r\nalso discovered in the AhnLab Smart Defense (ASD) logs, which means that systems in South Korea are also\r\nbecoming targets of the CVE-2023-46604 vulnerability attacks. \r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 1 of 9\n\nFigure 1. Logs of attempting to install HelloKitty ransomware\r\nWhile monitoring attacks by the Andariel group, ASEC found NukeSped, a backdoor that the Andariel group has\r\nbeen using from the past, being installed in a certain system. Investigations revealed that Apache ActiveMQ server\r\nwas installed in this system, and it was confirmed that there were various attack logs from late October when\r\ninformation on the CVE-2023-46604 vulnerability was released, including those involving the HelloKitty\r\nransomware. \r\nFigure 2. Various attack logs found in the infected system\r\nThe threat actor used the following malicious Java class file during the vulnerability attack process. This malware\r\nultimately downloads and installs an additional payload in Windows or Linux environments. This malware also\r\nappeared in a case in a recent report by Huntress. [6]\r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 2 of 9\n\nFigure 3. Malicious Java class file that acts as a downloader\r\nAside from these known attacks, CobaltStrike and Metasploit Meterpreter’s Stager installation logs were also\r\nfound. Based on these evidences, it can be assumed that although it has not been long since information regarding\r\nthe CVE-2023-46604 vulnerability was revealed, unpatched systems are becoming targets of numerous attacks in\r\nsuch a short time period. \r\nFigure 4. Metasploit Meterpreter’s Stager installation log\r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 3 of 9\n\nFigure 5. CobaltStrike Beacon configuration data by CobaltStrikeParser [7]\r\n2. NukeSped Malware – Andariel Group\r\n2.1. Circumstances of an Attack Exploiting CVE-2023-46604 Vulnerability\r\nWhile analyzing systems in which various Apache ActiveMQ were attacked, a system with the Nukesped\r\nbackdoor used by the Andariel group was found. Although there were no direct logs showing that NukeSped was\r\ninstalled through exploitation of the CVE-2023-46604 vulnerability, there is a possibility that the Andariel group\r\nexploited CVE-2023-46604 vulnerability for the attack, considering that no other attacks were confirmed except\r\nfor the exploiting one and that the malware installation log was confirmed while the attack was ongoing. \r\nThe analyzed system had repeatedly became a target of attacks since late October when the first attack which\r\nexploited the CVE-2023-46604 vulnerability was discovered. In particular, seeing that HelloKitty ransomware,\r\nmentioned in the Rapid7 report, and that a downloader mentioned in a Huntress report were detected together, it is\r\ndeemed to be a vulnerable Apache ActiveMQ server. While no specific malware was mentioned in the Huntress\r\nreport, a case was covered where a malicious payload was installed from the URL\r\n“hxxp://27.102.128[.]152:8098/bit[.]ico” through exploitation of the CVE-2023-46604 vulnerability. \r\nThis address, covered in a past Blog post, corresponds to the URL where TigerRat was downloaded from. It is also\r\nthe address where the “oracle” malware in the following log was downloaded from, as well as being the C\u0026C\r\nserver URL. While the malware files were not collected, TigerRat was installed under the names “rang.exe” and\r\n“load.exe”. \r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 4 of 9\n\nFigure 6. URL used to install TigerRat\r\nOf course, the Andariel group often used disclosed vulnerabilities such as the Log4Shell and TeamCity\r\nvulnerabilities [8] in its attacks in the past. \r\n2.2. NukeSped Backdoor\r\nNukeSped is a backdoor that can control the infected system through commands received from the C\u0026C server.\r\nThis is usually used by the Lazarus and Andariel groups to control infected systems. The NukeSped used in the\r\nattacks is similar to “NukeSped Variant – Type 1” covered in the past Blog post, “Circumstances of an Attack\r\nExploiting an Asset Management Program (Andariel Group)”. \r\nThe NukeSped version used in the recent attacks only support three commands: downloading files, executing\r\ncommands, and terminating running processes. Although the NukeSped in previous attack cases supported a much\r\nwider range of commands, aside from this, most features are the same. \r\nLike typical NukeSped types, all the API addresses and strings to be used are encrypted, then decrypted and used\r\nat runtime. The encryption method is a 1-byte XOR algorithm with the key value 0xA1. Besides 0xA1, in past\r\nattack cases, key values 0x97 and 0xAB were also used. \r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 5 of 9\n\nFigure 7. XOR-encrypted string using the 0xA1 key\r\nWhen NukeSped first connects to the C2, it sends a HTTP request in the following format. \r\nFigure 8. Packet upon the first connection to the C\u0026C server\r\nHTTP Request Header Value Description\r\nSec-Fetch-Mode 10 (0x0A) Initial connection\r\nSec-Fetch-User S-[Computer Name] Computer name of the infected system\r\nSec-Fetch-Dest 01 Initial connection\r\nTable 1. Format upon the first connection to the C\u0026C server\r\nAfterwards, an HTTP response is received from the C\u0026C server, and each of the strings in the following table are\r\nchecked. If any string exists in the response, the value of “Sec-Fetch-Mode:” is recognized as a command and\r\nsubsequent routines are executed. \r\nHTTP Response Header Description\r\n“HTTP/1.1 200 OK Content-Type: text/html ” Default response format\r\n“Sec-Fetch-Mode:” Command\r\n“Content-Length:” Command length\r\nTable 2. Format of commands received from the C\u0026C server\r\nThe following three commands are supported. The only actual available actions are downloading files from the\r\nC\u0026C server, executing commands received from the C\u0026C, and returning their results. \r\nCommand Feature\r\n30 (0x1E) Downloading commands\r\n33 (0x21) Executing commands and returning their results\r\n34 (0x22) Terminating running processes\r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 6 of 9\n\nTable 3. Commands supported by NukeSped\r\nDuring the initial communication with the C\u0026C server, the POST method was used, but a GET method disguised\r\nas being for visiting Google was used to transmit the results of executing commands received from the C\u0026C and\r\nany command execution failure messages. \r\nFigure 9. Response packet with a command execution failure message\r\nSec-Fetch-Mode Details\r\n10 (0x0A) Initial connection\r\n30 (0x1E) Command execution results\r\n35 (0x23) Command execution failure message\r\nTable 4. Format when sending the command execution results\r\nWhen a connection to the C\u0026C server is not established properly, auto-deletion is executed by using a batch file,\r\nwhich is similar to that of ordinary NukeSped backdoors. The batch file used for auto-deletion is created in the\r\n“%TEMP%uninst.bat” path. \r\nFigure 10. Batch file used for auto-deletion\r\n3. Conclusion\r\nAlong with the Kimsuky and Lazarus groups, the Andariel group is one of the threat groups that actively target\r\nSouth Korea. They attempted attacks to gain information related to national security in the early days but they\r\nnow attempt attacks for financial gains as well. [8] (This report supports Korean only for now.) Although they\r\nmostly use spear phishing or watering hole attacks for initial infiltration, there are also cases where the group\r\nexploit vulnerabilities such as Log4Shell or TeamCity to install malware. Recently, there have been evidences of\r\nexploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware. \r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 7 of 9\n\nUsers should be cautious with the attachments of emails and executable files downloaded from unknown sources,\r\nand corporate security personnel should enhance asset management programs and apply patches if there are\r\nsecurity vulnerabilities in the program. Users should also apply the latest patch for OS and programs such as\r\ninternet browsers, and update V3 to the latest version to prevent such malware infection in advance. \r\nFile Detection \r\n– Trojan/Win32.Dynamer.R162477 (2015.08.19.00) \r\n– Trojan/Win64.CobaltStrike.R356638 (2020.11.26.05) \r\n– Backdoor/Win.NukeSped.C5542399 (2023.11.16.01) \r\n– Trojan/Win.Generic.C5483470 (2023.09.08.03) \r\n– Trojan/Win.Generic.C5532844 (2023.10.28.01) \r\n– Backdoor/Win.TigerRAT.C5517634 (2023.10.19.03) \r\n– Trojan/CLASS.Agent (2023.11.03.00) \r\n– Dropper/MSI.Agent (2023.11.17.03)\r\nBehavior Detection \r\n– Malware/MDP.Download.M1900 \r\n– Ransom/MDP.Command.M2255\r\nMD5\r\n11ec319e9984a71d80df1302fe77332d\r\n160f7d2307bbc0e8a1b6ac03b8715e4f\r\n26ff72b0b85e764400724e442c164046\r\n31cbc75319ea60f45eb114c2faad21f9\r\n478dcb54e0a610a160a079656b9582de\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//137[.]175[.]17[.]172[:]1443/ac3[.]jar\r\nhttp[:]//137[.]175[.]17[.]172[:]1443/agent\r\nhttp[:]//137[.]175[.]17[.]172[:]1443/agent_w\r\nhttp[:]//137[.]175[.]17[.]172[:]41334/\r\nhttp[:]//137[.]175[.]17[.]221[:]1443/ac[.]jar\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 8 of 9\n\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/59318/\r\nhttps://asec.ahnlab.com/en/59318/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://asec.ahnlab.com/en/59318/" ], "report_names": [ "59318" ], "threat_actors": [ { "id": "838f6ced-12a4-4893-991a-36d231d96efd", "created_at": "2022-10-25T15:50:23.347455Z", "updated_at": "2026-04-10T02:00:05.295717Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "Andariel", "Silent Chollima", "PLUTONIUM", "Onyx Sleet" ], "source_name": "MITRE:Andariel", "tools": [ "Rifdoor", "gh0st RAT" ], "source_id": "MITRE", "reports": null }, { "id": "110e7160-a8cc-4a66-8550-f19f7d418117", "created_at": "2023-01-06T13:46:38.427592Z", "updated_at": "2026-04-10T02:00:02.969896Z", "deleted_at": null, "main_name": "Silent Chollima", "aliases": [ "Onyx Sleet", "PLUTONIUM", "OperationTroy", "Guardian of Peace", "GOP", "WHOis Team", "Andariel", "Subgroup: Andariel" ], "source_name": "MISPGALAXY:Silent Chollima", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "bc6e3644-3249-44f3-a277-354b7966dd1b", "created_at": "2022-10-25T16:07:23.760559Z", "updated_at": "2026-04-10T02:00:04.741239Z", "deleted_at": null, "main_name": "Andariel", "aliases": [ "APT 45", "Andariel", "G0138", "Jumpy Pisces", "Onyx Sleet", "Operation BLACKMINE", "Operation BLACKSHEEP/Phase 3.", "Operation Blacksmith", "Operation DESERTWOLF/Phase 3", "Operation GHOSTRAT", "Operation GoldenAxe", "Operation INITROY/Phase 1", "Operation INITROY/Phase 2", "Operation Mayday", "Operation VANXATM", "Operation XEDA", "Plutonium", "Silent Chollima", "Stonefly" ], "source_name": "ETDA:Andariel", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "771d9263-076e-4b6e-bd58-92b6555eb739", "created_at": "2025-08-07T02:03:25.092436Z", "updated_at": "2026-04-10T02:00:03.758541Z", "deleted_at": null, "main_name": "NICKEL HYATT", "aliases": [ "APT45 ", "Andariel", "Dark Seoul", "Jumpy Pisces ", "Onyx Sleet ", "RIFLE Campaign", "Silent Chollima ", "Stonefly ", "UN614 " ], "source_name": "Secureworks:NICKEL HYATT", "tools": [ "ActiveX 0-day", "DTrack", "HazyLoad", "HotCriossant", "Rifle", "UnitBot", "Valefor" ], "source_id": "Secureworks", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434726, "ts_updated_at": 1775792260, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cab1d334efc14a7e9238a6349486de0763d4e0ab.pdf", "text": "https://archive.orkl.eu/cab1d334efc14a7e9238a6349486de0763d4e0ab.txt", "img": "https://archive.orkl.eu/cab1d334efc14a7e9238a6349486de0763d4e0ab.jpg" } }