Tomcat in the Crosshairs: New Research Reveals Ongoing Attacks

Aqua Nautilus researchers describe an active 2025 campaign targeting Apache Tomcat servers that uses brute-force/management-console abuse and a recently disclosed Tomcat vulnerability to upload JSP web shells that decode AES-encrypted payloads, establish persistence, and deliver packed ELF and Windows binaries which steal SSH keys, move laterally, and run cryptomining workloads; the report includes code excerpts, dynamic analysis of the packed ELF (anti-debugging, socket use, process masquerading), IOCs (IPs, domain dbliker.top, multiple MD5s), and recommended mitigations such as patching, disabling unused management interfaces, network segmentation, and runtime protection.