Where are they now? Starring: Confluence CVE-2023-22527

A technical review of active exploitation of Atlassian Confluence CVE-2023-22527: observed POST requests (matching public Nuclei/Metasploit templates) deliver a bash loader (ldr.sh) that disables security tooling, tunes host settings for mining, downloads and runs a UPX-packed Go bitcoin miner, attempts SSH-based lateral propagation using harvested keys/hosts, and wipes logs; the report documents exploit samples, payload behavior, and indicators suggesting broad in‑the‑wild compromise risk.