Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/h\/godzilla-fileless-backdoors.html\"><br \/>\n<meta property=\"og:title\" content=\"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/GodzillaBackdoor-header.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/GodzillaBackdoor-header.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.551972473394\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1458574713\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2776162790698\">\n<div class=\"article-details\" role=\"heading\" readability=\"36.031976744186\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor.<\/p>\n<p class=\"article-details__author-by\">By: Abdelrahman Esmail, Sunil Bharti <time class=\"article-details__date\">August 30, 2024<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div class=\"richText\" readability=\"46.675656493967\">\n<div readability=\"40.420156139106\">\n<h4>Summary<\/h4>\n<ul>\n<li><span class=\"rte-red-bullet\">Trend Micro researchers identified a new attack vector that exploits the CVE-2023-22527 through the deployment of an in-memory fileless backdoor known as the Godzilla webshell. CVE-2023-22527 is a vulnerability affecting older versions of the Atlassian Confluence Data Center and Server that allows attackers to perform remote code execution.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">In such an attack, a loader is introduced into a compromised Atlassian server, subsequently activating the Godzilla webshell.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Godzilla is a sophisticated Chinese-language backdoor that uses AES encryption for communication and remains in-memory to avoid disk-based detection mechanisms.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Legacy anti-virus solutions struggle to detect fileless malware, so the discovery of this new kind of attack underscores the importance of regularly patching servers and using more advanced security solutions.<\/span><\/li>\n<\/ul>\n<p>We observed a new attack vector of weaponization for for the vulnerability CVE-2023-22527 using the Godzilla backdoor. Following initial exploitation, a loader was loaded into the Atlassian victim server which loads a Godzilla webshell. On January 16, 2024, Atlassian released a security advisory for <a href=\"https:\/\/confluence.atlassian.com\/security\/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html\" target=\"_blank\" rel=\"noopener\">CVE-2023-22527<\/a>, a vulnerability that affects Confluence Data Center and Confluence Server products. In response to this, Trend Micro released its own <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/b\/unveiling-atlassian-confluence-vulnerability-cve-2023-22527--und.html\" target=\"_blank\" rel=\"noopener\">technical analysis and coverage<\/a> of the vulnerability, which has also been associated with <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/h\/cve-2023-22527-cryptomining.html\" target=\"_blank\" rel=\"noopener\">crypto-mining activities<\/a>.<\/p>\n<p>The vulnerability is marked critical with a Common Vulnerability Scoring System (CVSS) score of 10. By exploiting this flaw, an unauthenticated attacker has the potential to exploit a template injection vulnerability found in older versions of Confluence Data Center and Server, enabling remote code execution (RCE) on the affected instance.<\/p>\n<h4>Godzilla Webshell<\/h4>\n<p>Upon analysing the backdoor, it was identified as the Chinese-language <a href=\"https:\/\/github.com\/BeichenDream\/GodzillaMemoryShellProject\/tree\/main\" target=\"_blank\" rel=\"noopener\">Godzilla in-memory backdoor<\/a>. This backdoor was developed by a user named \u201cBeichenDream\u201d, who created it in response to existing webshells frequently being detected by security products during red team operations. The author claims that Godzilla avoids detection by using Advanced Encryption Standard (AES) encryption for its network traffic and boasts a very low static detection rate across various security vendor products. The project idea of a servlet-based, in-memory shell for Tomcat and other middleware was first proposed by the user \u201c<a href=\"https:\/\/github.com\/feihong-cs\/memShell\/tree\/master\" target=\"_blank\" rel=\"noopener\">feihong-cs<\/a>\u201d.<\/p>\n<p>The main issue with malware fileless techniques is that they are extremely challenging to detect if customers are relying on legacy anti-virus, which use signature-based methods, sandboxing, whitelisting, or sometimes even machine learning protection methods. <\/p>\n<h4>Initial Access<\/h4>\n<p>The attack begins with the exploitation of CVE-2023-22527 using <i>velocity.struts2.context<\/i> to execute OGNL object (Figures 1 and 2).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <a id=\"d26aad\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla%20Fileless%20Backdoors%20figure%2001-01.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla%20Fileless%20Backdoors%20figure%2001-01.jpg\" alt=\"Figure 1. Attack chain \"> <\/a> <\/p>\n<p><figcaption>Figure 1. Attack chain <\/figcaption><\/p>\n<\/figure><\/div>\n<div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig2.png\" alt=\"Figure 2. Malicious request for CVE-2023-22527 exploitation\"> <\/p>\n<p><figcaption>Figure 2. Malicious request for CVE-2023-22527 exploitation<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig3.png\" alt=\"Figure 3. Code snippet of the malicious payload\"> <\/p>\n<p><figcaption>Figure 3. Code snippet of the malicious payload<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"30.754731861199\">\n<div readability=\"7.8107255520505\">\n<p>Diving deep into the malicious payload (Figure 3), we discovered:<b><\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The attacker using OGNL object to read a parameter called <i>x<\/i>. In the parameter\u2019s value, through the help of ScriptEngineManager, the attack evaluates a JavaScript code. The reason the attacker is using objects linking chains could be because of a OGNL template issue in that if its length is longer than <a href=\"https:\/\/blog.projectdiscovery.io\/atlassian-confluence-ssti-remote-code-execution\/\" target=\"_blank\" rel=\"noopener\">~200 characters<\/a>, it will be blocked based on the <i>struts.ognl.expressionMaxLength<\/i> setting.<b><\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\">As per the JavaScript code, attacker adds the header <i>x_evc_ecneulfnoc<\/i> to make sure the object has been loaded successfully, which will be shown in the response (Figure 4). <\/span><b><\/b><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"dee671\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig4.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig4.png\" alt=\"Figure 4. The response contains the header in case of successful object loading\"> <\/a> <\/p>\n<p><figcaption>Figure 4. The response contains the header in case of successful object loading<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<ul>\n<li><span class=\"rte-red-bullet\">The second part of the JavaScript code has an object called <i>data<\/i> that contains Base64, which will be loaded as an anonymous class in-memory using <i>sun.misc.Unsafe<\/i>.<\/span><\/li>\n<\/ul>\n<h4> <\/h4>\n<h4>Malware<\/h4>\n<p>After decoding the Base64 value of this anonymous class, its compiled java code program is called <i>MemGodValueShell<\/i>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"b9f7c0\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig5.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig5.png\" alt=\"Figure 5. The MemGodValueShell function\"> <\/a> <\/p>\n<p><figcaption>Figure 5. The MemGodValueShell function<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>As shown in Figure 5, the <i>MemGodValueShell<\/i> class has four attributes: <i>uri<\/i>, <i>serverName<\/i>, <i>standardContext<\/i>, and <i>valveString<\/i>. These are used to store various pieces of information during the execution of the class methods.<\/p>\n<p><i>MemGodValueShell<\/i> has three methods: <i>getField<\/i> is a method that uses reflection to retrieve the value of a private field from an object (Figure 6). It traverses the class hierarchy to find the field.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig6.png\" alt=\"Figure 6. The getField method\"> <\/p>\n<p><figcaption>Figure 6. The getField method<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The second method in the class is <i>getStandardContext<\/i> (Figure 7). This method attempts to retrieve the <i>StandardContext<\/i> object by iterating over all threads in the current thread group. It checks for threads that are part of the <i>StandardEngine<\/i> or <i>Acceptor<\/i> components of Tomcat. It retrieves various internal fields using reflection to navigate through the server’s internal structure.<b><\/b><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"ec72b7\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig7.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig7.png\" alt=\"Figure 7. getStandardContext method\"> <\/a> <\/p>\n<p><figcaption>Figure 7. getStandardContext method<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The last and the main method is the class constructor <i>MemGodValueShell<\/i> (Figure 8). This constructor method performs several actions:<\/p>\n<ol>\n<li>Loads the <i>Valve<\/i> class from the current thread’s context class loader.<\/li>\n<li>Retrieves the <i>StandardContext<\/i> object using the <i>getStandardContext<\/i> method.<\/li>\n<li>Iterates over all threads in the current thread group.<\/li>\n<li>For each thread, if it is not named “exec”, the method:<\/li>\n<\/ol>\n<ul>\n<li><span class=\"rte-red-bullet\">Retrieves the target object of the thread<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Checks if the target object is an instance of <i>Runnable<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Retrieves the global field from the target object<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Iterates over the processors and retrieves the request (req) object<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Retrieves the <i>serverPort<\/i>, <i>serverNameMB<\/i>, and <i>decodedUriMB<\/i> fields from the request object<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Decodes the <i>valveString<\/i> from Base64 to a byte array<\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Defines a new class using the <i>defineClass<\/i> method of the <i>ClassLoader<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Instantiates the new class and adds it as a valve to the pipeline of the <i>StandardContext<\/i><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"e6dfb6\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-08.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-08.jpg\" alt=\"Figure 8. MemGodValueShell constructor method\"> <\/a> <\/p>\n<p><figcaption>Figure 8. MemGodValueShell constructor method<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>For easy troubleshooting, we printed some data, as shown in Figures 9 and 10:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"923381\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-09.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-09.jpg\" alt=\"Figure 9. Custom debugging for the MemGodValueShell constructor method\"> <\/a> <\/p>\n<p><figcaption>Figure 9. Custom debugging for the MemGodValueShell constructor method<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"8751f2\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-10.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-10.jpg\" alt=\"Figure 10. Custom debugging for the MemGodValueShell constructor method\"> <\/a> <\/p>\n<p><figcaption>Figure 10. Custom debugging for the MemGodValueShell constructor method<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>In summary, <i>MemGodValueShell<\/i> does the following:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>Reflection Usage<\/b> \u2013 The code heavily uses Java Reflection to access private fields and methods of classes<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Thread Inspection<\/b> \u2013 It inspects threads to find specific ones related to Tomcat’s <i>StandardEngine<\/i> and <i>Acceptor<\/i><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Dynamic Class Loading<\/b> \u2013 It dynamically loads and defines a class from a Base64-encoded string<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Valve Injection<\/b> \u2013 It injects a custom valve into the Tomcat pipeline, which is intended to provide a backdoor or some form of unauthorized access<\/span><\/li>\n<\/ul>\n<p>In dynamic class loading, the <i>MemGodValueShell<\/i> constructor contains a long Base64 encoded string in a string variable <i>valveString<\/i>, which is also the compiled Java class <i>GodzillaValue<\/i> (Figure 11).<b> <\/b>After decompiling it, we the obtained Java code which is explained below.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig11.png\" alt=\"Figure 11. Godzilla class\"> <\/p>\n<p><figcaption>Figure 11. Godzilla class<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>The class <i>GodzillaValue<\/i> extends <i>ValveBase<\/i>, indicating that it is a custom Tomcat valve. It has four fields: <i>xc<\/i>, <i>pass<\/i>, <i>md5<\/i>, and <i>payload<\/i>. The <i>xc<\/i> and <i>pass<\/i> fields are used for cryptographic operations as xc is a key which has been used in AES128, while <i>md5<\/i> stores an MD5 hash, and payload is used to store a dynamically loaded class. <i>GodzillaValue<\/i> class stores the hardcoded <i>xc<\/i> string “3c6e0b8a9c15224a” and the <i>pass<\/i> string “pass” is likely used for authentication or encryption purposes.<\/p>\n<p>For the methods, we have the following:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>md5<\/b> \u2013 calculates MD5 hash<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>base64Encode<\/b> \u2013 Base64 encode<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>base64Decode<\/b> \u2013 Base64 decode<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>x<\/b> \u2013 AES encryption\/decryption method<\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>Invoke<\/b> \u2013 the overwritten valve class method which handles HTTP requests and responses (Figure 12)<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"683601\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-12.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-12.jpg\" alt=\"Figure 12. Godzilla Invoke method\"> <\/a> <\/p>\n<p><figcaption>Figure 12. Godzilla Invoke method<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"35.38329764454\">\n<div readability=\"16.708779443255\">\n<p>It seems that the <i>Invoke<\/i> method is waiting for the next part of the attack payload, which will complete the cycle of the attack. But we never received this part in our honeypots, which will make this kind of shell idle until it receives the payload class. Based on this, the threat actor may be building their own botnet network.<\/p>\n<p>Based on the <a href=\"https:\/\/github.com\/BeichenDream\/GodzillaMemoryShellProject\" target=\"_blank\" rel=\"noopener\">Godzilla<\/a> source code analysis in Figure 12, we can easily guess that class payload should be as the following (Figure 13): <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"1feff6\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-13.jpg\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/Godzilla-Fileless-Backdoors-figure-13.jpg\" alt=\"Figure 13. Custom sample of the payload class\"> <\/a> <\/p>\n<p><figcaption>Figure 13. Custom sample of the payload class<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>Based on our assumption, if we send a POST request with <i>Accept-Language<\/i> header \u201czh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\u201d and the <i>pass<\/i> parameter value has the Java-compiled data of payload class encrypted with parameter <i>xc<\/i>, it should initialized the payload class. We tried this, as shown in Figure 14, and Figure 15 shows how we successfully loaded the payload object.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig14.png\" alt=\"Figure 14. HTTP request to initialize payload class\"> <\/p>\n<p><figcaption>Figure 14. HTTP request to initialize payload class<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"08eb28\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig15.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig15.png\" alt=\"Figure 15. Logs which show successfully loading the payload object\"> <\/a> <\/p>\n<p><figcaption>Figure 15. Logs which show successfully loading the payload object<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Now, we can try to determine if our shell works: To prepare our command, the encrypted command should be \u201cAES128(Base64encoded(command))\u201d and the AES key should be the <i>xc<\/i> parameter in <i>GodzillaValue<\/i> class (Figure 16).<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig16.png\" alt=\"Figure 16. Command sample\"> <\/p>\n<p><figcaption>Figure 16. Command sample<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>This worked, but going back to the <i>GodzillaValue<\/i> class, we noticed that the first and last 16 characters of the result is \u201cmd5(pass+xc)\u201d. Also, the command execution result is \u201cAES128(base64encode(result))\u201d encrypted with the <i>xc<\/i> key (Figure 17). Let\u2019s revert these cryptographic operations to get our result (Figure 18). <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig17.png\" alt=\"Figure 17. Command execution sample\"> <\/p>\n<p><figcaption>Figure 17. Command execution sample<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"image\" readability=\"6\">\n<figure class=\"image-figure\" readability=\"2\"> <a id=\"989144\" href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig18.png\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/24\/h\/silent-intrusions--godzilla-fileless-backdoors-targeting-atlassian-confluence-\/GodzillaBackdoor-Fig18.png\" alt=\"Figure 18. Command execution result after decrypting and decoding\"> <\/a> <\/p>\n<p><figcaption>Figure 18. Command execution result after decrypting and decoding<\/figcaption><\/p>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"37.090909090909\">\n<div readability=\"24.425720620843\">\n<h4>Vision One Hunting Queries<\/h4>\n<p>Hunting query if Atlassian Java executed commands:<\/p>\n<blockquote><p>(eventSubId:2 AND processCmd:atlassian AND parentCmd:atlassian AND parentCmd:java AND (objectName:*\\\\Windows\\\\System32\\\\* OR objectName:*bin\/*))<\/p><\/blockquote>\n<p><b> <\/b><\/p>\n<h4>Conclusion<\/h4>\n<p>The CVE-2023-22527 vulnerability continues to be widely exploited by a wide range of threat actors who abuse this vulnerability to perform malicious activities, making it a significant security risk to organizations worldwide. The users of Atlassian Confluence are advised to immediately patch their servers and mitigate the risks associated with this attack. Leveraging security solutions such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One\u2122\ufe0f<\/a> can assist organizations in safeguarding their environment from threat actors and attacks like the one described in initial stages of the attack.<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/endpoint-security.html\" target=\"_blank\" rel=\"noopener\">Trend Vision One\u2122 \u2013 Endpoint Security<\/a> provides protection from any threats that may target this vulnerability via the following Deep Packet Inspection (DPI) rule:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>1011954<\/b> – Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527)<\/span><\/li>\n<\/ul>\n<p>TippingPoint has posted a Customer Shield Writer (CSW) file for this vulnerability that is available for customers to download on <a href=\"https:\/\/tmc.tippingpoint.com\/\" target=\"_blank\" rel=\"noopener\">Threat Management Center (TMC)<\/a>. The applicable rule is as follows:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>43721<\/b> – HTTP: Atlassian Confluence Data Center and Server Template Injection Vulnerability<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/endpoint-security\/workload-security.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Cloud One \u2013 Workload Security<\/a> helps defend a variety of environments such as virtual, physical, cloud, and containers against this threat via this rule:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>1011954<\/b> – Atlassian Confluence Data Center and Server Template Injection Vulnerability (CVE-2023-22527)<\/span><\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/network\/advanced-threat-protection\/inspector.html\" target=\"_blank\" rel=\"noopener\">Trend Micro Deep Discovery Inspector<\/a> customers are protected with the following rule:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>DDI RULE 4990<\/b> – CVE-2023-22527 – Atlassian OGNL Injection Exploit – HTTP (Request)<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<h4>Indicators of Compromise (IOC)<\/h4>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"608\">\n<tbody readability=\"3\">\n<tr>\n<td width=\"361\" valign=\"top\"><b>Hash<\/b><\/td>\n<td width=\"247\" valign=\"top\"><b>Detection<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"361\" valign=\"top\">dfeccdc0c1d28f1afd64a7bb328754d07eead10c<\/td>\n<td width=\"247\" valign=\"top\">TROJ_FRS.VSNTH724<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td width=\"361\" valign=\"top\">2cb94ce0b147303b7beb91f034d0dc7fa734dbcb<\/td>\n<td width=\"247\" valign=\"top\">Backdoor.JS.WEBSHELL.VSNW08H24<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h4>MITRE ATT&CK Techniques<\/h4>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"601\">\n<tbody readability=\"9\">\n<tr>\n<td width=\"200\" valign=\"top\"><b>Tactic<\/b><\/td>\n<td width=\"243\" valign=\"top\"><b>Technique<\/b><\/td>\n<td width=\"158\" valign=\"top\"><b>Technique ID<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"200\" valign=\"top\">Initial Access<\/td>\n<td width=\"243\" valign=\"top\">Exploit Public-Facing Application<\/td>\n<td width=\"158\" valign=\"top\">T1190<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"200\" valign=\"top\">Execution<\/td>\n<td width=\"243\" valign=\"top\">Command and Scripting Interpreter: Unix Shell <\/td>\n<td width=\"158\" valign=\"top\">T1059.004<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"200\" rowspan=\"5\" valign=\"top\">Defense Evasion<\/td>\n<td width=\"243\" valign=\"top\">Obfuscated Files or Information: Encrypted\/Encoded File<\/td>\n<td width=\"158\" valign=\"top\">T1027.013<\/td>\n<\/tr>\n<tr>\n<td width=\"243\" valign=\"top\">Reflective Code Loading<\/td>\n<td width=\"158\" valign=\"top\">T1620<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"243\" valign=\"top\">Obfuscated Files or Information: Embedded Payloads<\/td>\n<td width=\"158\" valign=\"top\">T1027.009<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"243\" valign=\"top\">Process Injection: Thread Execution Hijacking <\/td>\n<td width=\"158\" valign=\"top\">T1055.003<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"243\" valign=\"top\">Deobfuscate\/Decode Files or Information<\/td>\n<td width=\"158\" valign=\"top\">T1140<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"200\" valign=\"top\">Command and Control<\/td>\n<td width=\"243\" valign=\"top\">Encrypted Channel: Symmetric Cryptography<\/td>\n<td width=\"158\" valign=\"top\">T1573.001<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"200\" valign=\"top\">Persistence<\/td>\n<td width=\"243\" valign=\"top\">Server Software Component: Web Shell<\/td>\n<td width=\"158\" valign=\"top\">T1505.003<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"200\" valign=\"top\">Exfiltration<\/td>\n<td width=\"243\" valign=\"top\">Exfiltration Over Alternative Protocol: Exfiltration Over Symmetric Encrypted Non-C2 Protocol<\/td>\n<td width=\"158\" valign=\"top\">T1048.001<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/24\/h\/godzilla-fileless-backdoors.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend Micro discovered that old Atlassian Confluence versions that were affected by CVE-2023-22527 are being exploited using a new in-memory fileless backdoor. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9513,9509],"class_list":["post-56978","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-08-30T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/GodzillaBackdoor-header:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence\",\"datePublished\":\"2024-08-30T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/\"},\"wordCount\":1871,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/GodzillaBackdoor-header:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/\",\"name\":\"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/GodzillaBackdoor-header:Large?qlt=80\",\"datePublished\":\"2024-08-30T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/GodzillaBackdoor-header:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/GodzillaBackdoor-header:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/","og_locale":"en_US","og_type":"article","og_title":"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-08-30T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/GodzillaBackdoor-header:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence","datePublished":"2024-08-30T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/"},"wordCount":1871,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/GodzillaBackdoor-header:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/","url":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/","name":"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/GodzillaBackdoor-header:Large?qlt=80","datePublished":"2024-08-30T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/GodzillaBackdoor-header:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/GodzillaBackdoor-header:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56978","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56978"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56978\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56978"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56978"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56978"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":56978,"date":"2024-08-30T00:00:00","date_gmt":"2024-08-30T00:00:00","guid":{"rendered":"urn:uuid:ef080dcd-ebb4-a037-e9f1-07aedafa6d30"},"modified":"2024-08-30T00:00:00","modified_gmt":"2024-08-30T00:00:00","slug":"silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/silent-intrusions-godzilla-fileless-backdoors-targeting-atlassian-confluence\/","title":{"rendered":"Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence"},"content":{"rendered":"