New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

New GoTitan botnet exploits recently patched Apache ActiveMQ flaw

Multiple threat actors have been observed exploiting a recently patched critical vulnerability in Apache ActiveMQ to disseminate several malware strains, including Sliver, Kinsing, and Ddostf.

The vulnerability in question is CVE-2023-46604, a remote code execution issue involving the deserialization of untrusted data in Apache.

According to a new report from researchers at Fortiguard Labs, the flaw has been weaponized by a new Golang-based botnet dubbed “GoTitan” designed for launching distributed denial-of-service (DDoS) attacks via protocols such as HTTP, UDP, TCP, and TLS, and a .NET program called “PrCtrl Rat” that implements remote control capabilities.

GoTitan is downloaded from a malicious URL and is focused on x64 architectures.

“The attacker only provides binaries for x64 architectures, and the malware performs some checks before running. It also creates a file named "c.log" that records the execution time and program status. This file seems to be a debug log for the developer, which suggests that GoTitan is still in an early stage of development,” the researchers noted.

The malware replicates itself within the system and establishes a recurring execution. It then collects essential information about the compromised endpoint, including architecture, memory, and CPU details and sends the data to the attackers.

A command received from the command-and-control server (C2) is passed to a function named “handle_socket_func2” that determines an attack method. GoTitan supports ten different methods of launching distributed denial-of-service (DDoS) attacks, including UDP, UDP HEX, TCP, TLS, RAW, HTTP GET, HTTP POST, HTTP HEAD, and HTTP PUT.

Fortinet said it also observed instances where the vulnerable Apache ActiveMQ servers have been targeted to deploy another DDoS botnet called Ddostf, Kinsing cryptojacking malware, and a C2 framework named Sliver.

Back to the list

Latest Posts

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

The Russian threat actors leveraged social engineering techniques to impersonate individuals from prominent institutions.
17 February 2025
Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025