The DFIR ReportMar 4

"After the creation of the rdp.bat file, several commands were executed via a CMD process to modify the host configuration, specifically to permit RDP through the firewall and set the RDP port number to 3389. We assess that these commands were included in the batch file."

Link to the report ⬇️

Show threadThe DFIR Report
Report: https://thedfirreport.com/2026/02/23/apache-activemq-exploit-leads-to-lockbit-ransomware/
Services: https://thedfirreport.com/services/
Contact Us for pricing or a demo: https://thedfirreport.com/contact/
Apache ActiveMQ Exploit Leads to LockBit Ransomware - The DFIR Report

Key Takeaways An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon.  This intrusion began in mid-February 2024 after a threat actor exploited a vulnerability (CVE-2023-46604) on an exposed Apache ActiveMQ server. The threat actor was able to perform remote code execution (RCE) by using a Java Spring class and a custom Java Spring […]

The DFIR Report
Mar 4 at 1:15pmWeb