Analysts from the DeepWatch threat intelligence team have discovered a malicious campaign, which has “highly likely” exploited a vulnerability in Atlassian Confluence Server software.

The bug suspected to have been exploited is CVE-2022-26134, a remote code execution flaw affecting out-of-date versions of Confluence Server and Data Center, which stems from improper input validation when processing OGNL expressions.

“Organizations that conduct research in healthcare, education, international development, and environmental and agriculture, as well as provide technical services are likely targets of this threat actor,” the report noted.

In the observed campaign a threat actor, which DeepWatch tracks as TAC-040, appears to have exploited CVE-2022-26134 in an Atlassian Confluence server to execute malicious commands with a parent process of tomcat9.exe in Atlassian’s Confluence directory.

The attackers then run various commands to enumerate the local system, network, and Active Directory environment and archived files and folders from multiple directories using the RAR and 7zip archiver utilities. DeepWatch says the hackers have managed to steal around 700MBs of archived data before the compromised server has been taken offline by the victim.

The attackers have also planted a previously undocumented backdoor, dubbed “Ljl Backdoor,” onto the compromised server. The backdoor has multiple capabilities, such as the ability to act as a reverse proxy, determine whether the target is active or idle, exfiltrate files, load additional plugins, collect victim system and geographic information (asn, isp, country name, country code, region name, etc.).

The researchers believe that the goal of this campaign was cyber-espionage, but they said they can’t completely rule out the possibility that the attackers were financially motivated.