Apache Applications Targeted by Stealthy Attacker

Aqua Nautilus researchers uncovered an active campaign exploiting unauthenticated RCE misconfigurations in Apache Hadoop YARN and Apache Flink to drop a packed ELF downloader ('dca') that installs two process-hiding rootkits and a Monero cryptominer, achieves persistence via cronjobs, and communicates with staging servers (several IPs and ns1.disponibletogether.com); the report provides IOCs, MITRE ATT&CK mappings, and detection recommendations.