Muhstik Botnet Exploits Apache RocketMQ Flaw for DDoS Attack

Muhstik Botnet Exploits Apache RocketMQ Flaw for DDoS Attack

The Muhstik botnet, known for its distributed denial-of-service (DDoS) attacks, is exploiting a recently patched security vulnerability in Apache RocketMQ to commandeer vulnerable servers and expand its reach.


Aqua, a cloud security firm, reported that Muhstik is notorious for targeting IoT devices and Linux-based servers, infecting them for cryptocurrency mining, and launching DDoS attacks. This botnet, first documented in 2018, frequently leverages known security flaws in web applications for propagation.


The latest vulnerability exploited by Muhstik is CVE-2023-33246 (CVSS score: 9.8), a critical flaw in Apache RocketMQ. This flaw allows remote, unauthenticated attackers to perform remote code execution by manipulating the RocketMQ protocol or using the update configuration function.

Upon exploiting this vulnerability, the attackers execute a shell script from a remote IP address, which then downloads the Muhstik binary (“pty3”) from another server. The malware gains persistence by copying itself to multiple directories and modifying the /etc/inittab file, which controls the processes started during the booting of a Linux server.

Naming the binary “pty3” is likely an attempt to disguise it as a pseudoterminal (“pty“) and evade detection. Additionally, the malware is copied to directories like /dev/shm, /var/tmp, /run/lock, and /run to execute directly from memory, minimizing traces on the system.

Muhstik’s capabilities include gathering system metadata, moving laterally to other devices via secure shell (SSH), and establishing contact with a command-and-control (C2) domain to receive further instructions using the Internet Relay Chat (IRC) protocol. The primary goal of Muhstik is to use compromised devices for various flooding attacks, overwhelming network resources, and causing denial-of-service conditions.

Despite the public disclosure of the RocketMQ flaw over a year ago, 5,216 vulnerable instances remain exposed to the internet. Organizations must update to the latest version to mitigate these threats.

In addition to DDoS attacks, previous campaigns have detected cryptomining activity following the execution of Muhstik malware. These objectives are aligned, as infecting more machines enables attackers to mine more cryptocurrency using the compromised machines’ electrical power.

The disclosure coincides with the AhnLab Security Intelligence Center (ASEC), revealing that poorly secured MS-SQL servers are also being targeted by various types of malware, including ransomware, remote access trojans, and proxyware.


ASEC advises administrators to use strong, frequently changed passwords and apply the latest patches to safeguard against brute-force and dictionary attacks.

Start Growing with Cloudways Today.

Our Clients Love us because we never compromise on these

Muhstik Botnet Exploits Apache RocketMQ Flaw for DDoS Attack 1

Abdul Rehman

Abdul is a tech-savvy, coffee-fueled, and creatively driven marketer who loves keeping up with the latest software updates and tech gadgets. He’s also a skilled technical writer who can explain complex concepts simply for a broad audience. Abdul enjoys sharing his knowledge of the Cloud industry through user manuals, documentation, and blog posts.


Thankyou for Subscribing Us!

Do you like what you read?

Thank you for your feedback!

Keep reading the article at The Official Cloudways Blog. The article was originally written by Abdul Rehman on 2024-06-07 09:34:27.

The article was hand-picked and curated for you by the Editorial Team of WP Archives.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Leave a Comment

Your email address will not be published. Required fields are marked *

Show Your ❤️ Love! Like Us
Scroll to Top