From edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence

This report describes a multi-stage intrusion where an attacker compromised an internet-facing, end-of-life F5 BIG-IP appliance (version 15.1.201000) to SSH into a Linux host, used that host to stage and exploit an internal Atlassian Confluence server via RCE, extracted credentials from Confluence configuration files, and attempted Kerberos/NTLM relay attacks (including exploitation of CVE-2025-33073) against Active Directory; the report includes observed TTPs, file hashes and a C2 IP, Microsoft Defender XDR detections, hunting queries, and prescriptive mitigations such as treating edge appliances as Tier-0 assets and applying identity hardening.