{"id":10921,"date":"2026-02-25T10:03:38","date_gmt":"2026-02-25T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/25\/threat-actors-exploit-apache-activemq-server-vulnerability-to-gain-rdp-access-and-deploy-lockbit-ransomware\/"},"modified":"2026-02-25T10:03:38","modified_gmt":"2026-02-25T10:03:38","slug":"threat-actors-exploit-apache-activemq-server-vulnerability-to-gain-rdp-access-and-deploy-lockbit-ransomware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/25\/threat-actors-exploit-apache-activemq-server-vulnerability-to-gain-rdp-access-and-deploy-lockbit-ransomware\/","title":{"rendered":"Threat Actors Exploit Apache ActiveMQ Server Vulnerability to Gain RDP Access and Deploy LockBit Ransomware"},"content":{"rendered":"

Threat Actors Exploit Apache ActiveMQ Server Vulnerability to Gain RDP Access and Deploy LockBit Ransomware
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical vulnerability in Apache ActiveMQ has been actively exploited by threat actors, leading to a full LockBit ransomware deployment across an enterprise network. <\/p>\n

Attackers leveraged CVE-2023-46604, a remote code execution flaw in the ActiveMQ messaging broker, to break into an exposed Windows server and ultimately encrypt systems via Remote Desktop Protocol \u2014 spanning roughly 19 calendar days from initial access to full encryption.<\/p>\n

The attack began in mid-February 2024, when a threat actor sent a specially crafted OpenWire command to a publicly accessible Apache ActiveMQ server. <\/p>\n

The exploit caused the server to load a remote Java Spring XML configuration file, which instructed the compromised host to download a Metasploit stager using the Windows CertUtil utility. <\/p>\n

Once executed, the stager opened a command-and-control channel to an attacker-controlled server at IP address 166.62.100[.]52. <\/p>\n

Within 40 minutes of gaining that initial foothold, the attacker had already escalated to SYSTEM-level privileges and started dumping credentials from LSASS process memory on the beachhead host.<\/p>\n

The DFIR Report analysts identified that the attackers<\/a> were evicted from the environment on the second day of the intrusion, but because the vulnerable ActiveMQ server was never patched, the same exploit pathway remained open. <\/p>\n

Eighteen days after the first breach, the threat actors returned using the identical CVE-2023-46604 technique \u2014 only changing the names of the files downloaded after exploitation. <\/p>\n

The re-entry was made far easier by a privileged service account whose credentials had been quietly stolen from LSASS memory during the first intrusion, giving the attackers a direct, ready-made route back into the network.<\/p>\n

\n
\"Initial
Initial Access (Source \u2013 The DFIR Report)<\/figcaption><\/figure>\n<\/div>\n

On their return, the attackers confirmed their domain administrator access, then ran a disguised network scanning tool \u2014 Advanced IP Scanner packaged to resemble SoftPerfect Network Scanner \u2014 to enumerate live hosts across the environment. <\/p>\n

They then moved LockBit ransomware executables to servers and workstations via RDP sessions, using two files: LB3.exe and LB3_pass.exe. <\/p>\n

On file and backup servers, the ransomware was executed with specific path and password arguments, while on other hosts it was run through a simple double-click in the Windows Explorer interface. <\/p>\n

Ransom notes left behind pointed victims to the Session private messaging app, not to any official LockBit infrastructure, indicating this was an independent actor who built their ransomware using the leaked LockBit Black builder.<\/p>\n

The total Time to Ransomware stood at 419 hours \u2014 just over 19 days from first exploitation to full encryption. Had defenders not detected the initial intrusion phase, the attackers would have had fewer than 90 minutes from re-entry before ransomware began executing across the network.<\/p>\n

\n\n\n\n\n\n
CVE ID<\/th>\nCVSS Score<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
CVE-2023-46604<\/td>\n10.0 (Critical)<\/td>\nApache ActiveMQ Remote Code Execution via malicious OpenWire ClassInfo command<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Credential Theft Driving Lateral Movement<\/strong><\/h2>\n

After gaining SYSTEM-level access on the beachhead, the Metasploit process accessed LSASS process memory on four separate hosts during the first intrusion round. <\/p>\n

Sysmon logs captured the GrantedAccess value of 0x1010 \u2014 which grants read access to virtual memory \u2014 alongside a CallTrace UNKNOWN entry, a reliable indicator of injected code performing the dump without leaving a standard process trail. <\/p>\n

One of the targeted hosts was running a production application tied to a privileged service account, and that single account became the bridge the threat actors used to cross back into the network 18 days later.<\/p>\n

\n
\"LSASS
LSASS Credential Dumping Activity Observed in Sysmon Logs During Round 1 and Round 2 (Source \u2013 The DFIR Report)<\/figcaption><\/figure>\n<\/div>\n

When the attackers returned on day 18, they used that stolen service account to remotely create services and run Metasploit payloads across domain controllers and multiple servers. <\/p>\n

The PowerShell commands<\/a> carrying those payloads were obfuscated through string concatenation, Base64 encoding, and gzip compression stacked on top of each other. <\/p>\n

After decoding, the shellcode allocated memory regions using VirtualAlloc, changed their protection attribute to executable using VirtualProtect, then spawned a thread to execute the injected payload in-memory \u2014 a method commonly used to avoid triggering signature-based endpoint detection. <\/p>\n

On hosts where Microsoft Defender<\/a> was active, this activity was caught and blocked; unprotected systems were fully compromised.<\/p>\n

\n
\"AnyDesk
AnyDesk Silent Installation and C2 Connection to 166.62.100[.]52 (Source \u2013 The DFIR Report)<\/figcaption><\/figure>\n<\/div>\n

To cover their tracks and maintain a foothold, the attackers silently installed AnyDesk on the beachhead host, setting it up as an auto-start service. <\/p>\n

A batch file named rdp.bat opened firewall port 3389 to allow RDP connections and was then removed roughly six minutes after execution. <\/p>\n

Windows System, Application, and Security event logs on the beachhead were all wiped, and the LOLBIN SystemSettingsAdminFlows.exe was abused on the Exchange server<\/a> to disable Windows Defender.<\/p>\n

Indicators of Compromise (IOCs)<\/strong><\/h2>\n
\n\n\n\n\n\n\n\n\n\n\n\n
Indicator<\/th>\nType<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
166.62.100[.]52<\/td>\nIP Address<\/td>\nC2 server and AnyDesk login source<\/td>\n<\/tr>\n
C8646CFB574FF2C6F183C3C3951BF6B2C6CF16FF8A5E949A118BE27F15962FAE<\/td>\nSHA-256<\/td>\nLB3_pass.exe \u2014 LockBit ransomware executable<\/td>\n<\/tr>\n
8CEEE89550C521BA43F59D24BA53A22A3B69EAD0FCE118508D0A87A383D6A7B6<\/td>\nSHA-256<\/td>\nLB3.exe \u2014 LockBit ransomware executable<\/td>\n<\/tr>\n
87BFB05057F215659CC801750118900145F8A22FA93AC4C6E1BFD81AA98B0A55<\/td>\nSHA-256<\/td>\nnetscan.exe \u2014 Network scanner tool<\/td>\n<\/tr>\n
722FFF8F38197D1449DF500AE31A95BB34A6DDABA56834B13EAAFF2B0F9F1C8B<\/td>\nSHA-256<\/td>\nadvanced_ip_scanner.exe \u2014 IP scanner disguise<\/td>\n<\/tr>\n
D9C888BDE81F19F3DC4F050D184FFA6470F1A93A2B3B10B3CC2D246574F56841<\/td>\nSHA-256<\/td>\nrdp.bat \u2014 RDP configuration batch file<\/td>\n<\/tr>\n
1148037084<\/td>\nAnyDesk Client ID<\/td>\nAttacker\u2019s AnyDesk client identifier<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Organizations should immediately patch Apache ActiveMQ to address CVE-2023-46604, enforce LSASS protection through Credential Guard, monitor for event log clearing activity, restrict unauthorized remote access tool<\/a> installations, and reset all credentials after any suspected intrusion to prevent re-entry through stolen accounts.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n

The post Threat Actors Exploit Apache ActiveMQ Server Vulnerability to Gain RDP Access and Deploy LockBit Ransomware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Tushar Subhra Dutta
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Threat Actors Exploit Apache ActiveMQ Server Vulnerability to Gain RDP Access and Deploy LockBit Ransomware A critical vulnerability in Apache ActiveMQ has been actively exploited by threat actors, leading to a full LockBit ransomware deployment across an enterprise network. Attackers leveraged CVE-2023-46604, a remote code execution flaw in the ActiveMQ messaging broker, to break into […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-10921","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10921"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10921"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10921\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10921"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10921"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10921"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}