Aqua Security researchers discovered Hadooken after observing a breach in a honeypot, where attackers exploited weak credentials to gain access.

Cybersecurity researchers have identified a new malware campaign targeting Linux systems for illicit cryptocurrency mining, specifically through a malware named Hadooken.

The attack exploits known vulnerabilities and misconfigurations, such as weak passwords, to gain unauthorized access and execute arbitrary code.

Oracle's WebLogic Server, widely used in sectors like banking and healthcare, has become a prime target for cybercriminals due to its known vulnerabilities.

Despite its strong reputation, Oracle WebLogic is frequently targeted by attackers, leading to concerns about the security of over 230,000 internet-connected servers.

Once access is gained, attackers download a shell script and a Python script designed to fetch and execute Hadooken, while also targeting SSH data for lateral movement.

While Aqua has not confirmed the operational status of Tsunami malware, it remains a potential threat for future attacks.

Static analysis has revealed connections between Hadooken and ransomware families like Rhombus and NoEscape, suggesting future threats to Linux servers.

Hadooken provides attackers with complete control over compromised systems, allowing for further exploitation and potential ransomware deployment.

Researchers traced Hadooken to two IP addresses, one linked to a UK hosting company and another inactive IP registered in Russia, but no direct links to other threat groups were established.

The active IP address associated with Hadooken is registered to Aeza International LTD in Germany, which has connections to previous cryptocurrency campaigns.

Aeza's rapid growth is attributed to recruiting young developers from bulletproof hosting services in Russia that shield cybercriminal activities.