Cleopatra's Shadow: A Mass Exploitation Campaign Deploying a Java Backdoor Through Zero-Day Exploitation of Cleo MFT Software

Tags

External References

• https://arcticwolf.com/
• https://otx.alienvault.com/

Description

A mass exploitation campaign targeting Cleo Managed File Transfer (MFT) products was observed in December 2024. The attackers exploited a zero-day vulnerability to deploy a Java-based backdoor dubbed Cleopatra. The campaign began on December 7 and is ongoing. The attack chain involves an obfuscated PowerShell stager, a Java loader, and the Cleopatra backdoor. The backdoor supports cross-platform functionality on Windows and Linux, with specific features to access data within Cleo MFT software. Multiple IP addresses were used for command and control, while vulnerability scanning originated from only two IPs. The campaign appears opportunistic, affecting various industries. Affected Cleo products include Harmony, VLTrader, and LexiCom, even on patched versions.

Date