Links
- Source: VX-Underground: MalwareSourceCode
- Short variant: Cheshire.b.java
Description: Chesire is a self-replicating piece of Java malware targeting Java 8 and above written by B0t of VX-Underground.
Links
Description: Malicious actors creates a self-replicating Java malware that explicitly targeted the modding/plugin communities. It spreads to all JAR files on the local system, and stolen credentials of mod authors are used by the bad actor to upload backdoored versions of their mods to hosting sites like CurseForge.
Links
- Release thread: Hackforums
- Source: mal/squished-worm/src
Description: Squished Worm is Java malware that targets Bukkit plugins, and supports persistence injection into adjacent server files, and remote SSH/FTP access.
Links
- Write-up: Jai Minton: strrat
- Config decoder: Misc-Tools/decrypt-strrat.py
Description: StrRat is a dynamic, plugin-extensible Java RAT. After moving on from just credential stealing, it later gained ransomware like-abilities.
Links
- Source: willie/jrat
- Contains full git history of jRat up to v6 from 2018
- Remover tool: willie/jrat-remover
- Config decoder: RATDecoders/jrat.py
- Hackforum / seller threads:
Description: Common back in its active years (ending around 2014) it was the primary go-to Java malware for quite some time.
Links
- Product page: cobaltstrike.com
- Write-up: thedfirreport: cobalt strike, a defender's guide
Description: A tool for post-exploitation pentesting written in Java, commonly used by bad actors for their own real C2 servers.