Back

March 21, 2024

Lucifer DDoS Malware Targets Apache Big-Data Stack, Hadoop & Druid Servers

In a concerning revelation for organizations relying on Apache's powerful big-data solutions, a formidable variant of the notorious Lucifer DDoS botnet malware has emerged, exclusively targeting Apache Hadoop and Apache Druid servers. This highly sophisticated malware campaign capitalizes on pre-existing vulnerabilities and misconfigurations within these systems to carry out a range of malicious activities. From insidious cryptojacking to disruptive distributed denial-of-service (DDoS) attacks, this threat poses a grave danger to your organization's data infrastructure.

Vulnerabilities and Misconfigurations

A recent in-depth analysis conducted by Aquasec has shed light on the cunning tactics employed by the Lucifer malware. This sophisticated threat specifically exploits misconfigurations and well-known vulnerabilities found within Apache Hadoop and Apache Druid environments.

Of particular concern is the exploitation of CVE-2021-25646, a critical vulnerability residing within Apache Druid. This flaw, categorized as a command injection vulnerability, grants authenticated attackers the ability to execute arbitrary code, paving the way for potentially devastating consequences.

Figure 1: Attack flow, initial phase [Image Credits: Aquasec (screenshot)]

Through astutely leveraging these identified weaknesses, malicious actors can effortlessly breach system defenses, gaining unauthorized access to critical infrastructure. This illicit entry grants them the freedom to execute a wide range of nefarious activities, posing a significant threat to organizations’ security.

The Convergence of Cryptojacking and DDoS Attacks

Setting itself apart from conventional threats, the Lucifer malware showcases its unparalleled prowess through a unique fusion of cryptojacking and DDoS capabilities.

Upon infiltrating vulnerable Linux servers, this potent malware swiftly capitalizes on its foothold, seamlessly transforming them into Monero cryptomining bots. This cunning approach enables malicious actors to exploit computing resources for their own illicit gains, all while evading detection.

Furthermore, the Lucifer malware goes beyond cryptomining capabilities and possesses the alarming capability to unleash devastating DDoS attacks. This dual assault strikes at the very core of targeted servers, compromising their integrity and availability. 

Implications and Recommended Actions

The emergence of the Lucifer malware, specifically targeting Apache's robust big-data stack, serves as a resounding wake-up call, underscoring the omnipresent cyber threats looming over organizations.

With an alarming surge of over 3,000 distinct attacks detected in the past month alone, the imperative for bolstering security measures cannot be emphasized enough.

To effectively combat this escalating menace, organizations must adopt a proactive stance. Regularly scanning their environments for vulnerabilities, promptly applying necessary patches, and implementing runtime detection mechanisms are pivotal steps in identifying and neutralizing unfamiliar threats.

In an ever-evolving cyber threat landscape, maintaining unwavering vigilance and staying informed are paramount. The Lucifer DDoS botnet malware campaign, targeting Apache Hadoop and Apache Druid servers, epitomizes the attackers' shrewd tactics in exploiting vulnerabilities and misconfigurations to reap malicious rewards.

To fortify their critical infrastructure against these insidious threats, organizations must embrace holistic security strategies, encompassing comprehensive measures to safeguard against potential breaches. By doing so, they can confidently navigate the treacherous cybersecurity landscape and protect their invaluable assets.

Nexusguard and Customers Unimpacted by Vulnerability

Rest assured, as we closely monitor the situation, we can confidently confirm that our products remain unaffected by the reported vulnerability. This reaffirms our steadfast dedication to delivering secure solutions that prioritize the protection of our customers’ assets.


Our commitment to security extends far beyond mere promises. At Nexusguard, we adopt a meticulous approach to product development, implementing a range of measures to guarantee the protection of our customers. Through the integration of runtime detection mechanisms, we actively identify and mitigate unfamiliar threats, leaving no room for compromise. Additionally, we conduct thorough scans of footprints to promptly identify and address common misconfigurations, ensuring the integrity and security of our solutions.

Moreover, we maintain a rigorous patching process that ensures our products are continuously updated to mitigate emerging risks. This proactive approach allows us to stay ahead of potential vulnerabilities and provide our customers with the utmost protection.

Urgent Steps to Safeguard Your Organization

In the face of suspicion surrounding the impact of this vulnerability, time is of the essence. It is crucial to immediately engage the expertise of specialists who can provide decisive assistance tailored to your unique circumstances.

Nexusguard's Application Protection is a powerful security solution that provides extensive defense against a broad spectrum of attacks across L3-L4 and L7 layers. This robust solution guarantees comprehensive protection, even against potential zero-day attacks, effectively safeguarding your applications with the utmost efficiency and effectiveness.

For more information, please read about Nexusguard’s Application Protection or reach out to us via our contact form.

With Nexusguard, you can trust in the security of your network and applications completely. Our stringent security hardening measures and rigorous inspections effectively eliminate the risk of high-severity vulnerabilities, providing comprehensive protection for your valuable assets.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.