⚠️ Overview

Hadooken is a Linux-targeting malware family first publicly documented by Aqua Security in August 2024 after being discovered exploiting vulnerable Oracle WebLogic servers. It is categorized as a cryptominer and initial access broker tool, often used to deploy the Kinsing cryptocurrency miner on compromised systems. The malware is attributed to unidentified threat actors who leverage known CVEs to gain initial footholds.

🔧 Technical Capabilities

Hadooken propagates by scanning for exposed Oracle WebLogic servers and exploiting remote code execution vulnerabilities, primarily CVE-2020-14882 and CVE-2020-14750. Once executed, it downloads and runs a shell script that deploys a cryptocurrency miner and establishes persistence via cron jobs and systemd services. The malware’s command-and-control (C2) infrastructure communicates over HTTP to a hardcoded IP address, often using port 8080, and exfiltrates system information including hostname, IP, and username. Evasion techniques include renaming the miner process to common system names and using legitimate tools like wget and curl to avoid detection. It also disables security mechanisms by killing competing miner processes and removing cron entries from other attackers.

📜 History & Notable Incidents

First observed in the wild in May 2024, Hadooken was analyzed by Aqua Security’s Nautilus Team, who published a detailed report on 7 August 2024. The campaign primarily targets misconfigured and unpatched Oracle WebLogic servers exposed on the internet, with no high-profile victims publicly named. The malware exploits the widely known CVE-2020-14882, a critical unauthenticated remote code execution vulnerability in Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0.

🔍 Detection Indicators

Known indicators of compromise (IOCs) include file hashes for the initial dropper script (SHA256: 2c1c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e9c9e) – though exact hashes vary by sample. Network IOCs include connections to the C2 IP address 45.9.148.169 on port 8080 and User-Agent strings such as “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36” used during initial download. Behavioral signatures include unexpected cron jobs executing scripts from /tmp or /var/tmp, and the presence of the miner process named “kinsing” or “kdevtmpfsi”.

☠️ Risk & Impact

Hadooken primarily causes financial losses through unauthorized cryptocurrency mining, consuming CPU resources and driving up cloud and energy costs for affected organizations. Data exfiltration is limited to system information, but the backdoor access grants attackers the ability to install additional payloads, potentially leading to data theft or ransomware deployment. The primary affected sector is cloud infrastructure and enterprises running unpatched Oracle WebLogic servers.

🛡️ Mitigation

Mitigation requires patching Oracle WebLogic Server vulnerabilities CVE-2020-14882 and CVE-2020-14750 immediately. Network segmentation and restricting access to administrative endpoints via firewall rules are recommended. Detection rules based on YARA signatures and behavioral monitoring of anomalous cron job creation can block the initial infection. Aqua Security provides a free scanning tool to identify exposed WebLogic instances.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.