Lucifer DDoS botnet Malware is Targeting Apache Big-Data Stack

Aqua Nautilus describes an ongoing campaign (observed July 2023 through January 2024 and ongoing) in which operators exploit Apache Hadoop YARN misconfigurations and Apache Druid CVE‑2021‑25646 to install Lucifer DDoS/cryptomining malware; the attack chain uses staged droppers to deploy XMRig miners, employs persistence (cron), defense-evasion (binary deletion, packing, log truncation), and includes comprehensive IOCs (attacker/C2 IPs, domains, file hashes, and a wallet).