Apache ActiveMQ Exploit Leads to LockBit Ransomware

This DFIR report describes a mid‑Feb 2024 intrusion where a threat actor exploited CVE-2023-46604 against an exposed Apache ActiveMQ server to achieve RCE, delivered a Metasploit/Meterpreter stager, dumped LSASS to harvest credentials, performed lateral movement (remote services, RDP, AnyDesk), and—on a subsequent return 18 days later—used harvested credentials to deploy LockBit ransomware across multiple systems; the report contains technical telemetry, file/host indicators, YARA/Sigma detections, and a timeline.