A massive, coordinated cyberattack campaign targeting Apache Tomcat Manager interfaces was detected, peaking on June 5, 2025. Threat actors utilized approximately 400 unique IP addresses to launch a wave of brute force and login attempts far exceeding normal baseline activity. The volume of malicious traffic was 10 to 20 times higher than usual, indicating a highly organized and deliberate campaign rather than random scanning.

The researcher identified two key attack vectors: brute force attempts and login attempts, each showing unprecedented spikes in activity. The brute force vector alone involved 250 unique malicious IP addresses, a dramatic increase from the normal range of 1–15. Similarly, the login attempt vector registered 298 unique IPs, compared to the typical 10–40. Nearly all the traffic associated with these vectors was classified as malicious, reinforcing the severity and intent behind the operation. The attack unfolded over several days, with a clear build-up in early June and a peak on June 5, reflecting sustained and well-coordinated pressure on targeted systems.

Technical analysis indicates that the attackers employed advanced operational security techniques. Their efforts were narrowly focused on Tomcat Manager interfaces, avoiding broader scanning behaviors that might trigger alerts. A significant number of malicious IPs originated from DigitalOcean infrastructure (ASN 14061), suggesting the use of legitimate cloud services for launching the attack. This tactic gave threat actors scalability, geographic diversity, and the ability to camouflage their traffic within regular cloud-based activity.

In response, organizations running Apache Tomcat must take immediate defensive measures. Blocking all 400+ identified malicious IPs is critical to halt ongoing attacks. Beyond this, organizations should enforce strong authentication protocols, including multi-factor authentication and strict password policies, and restrict Tomcat Manager access to trusted networks only, ideally through VPNs or IP whitelisting. Security teams must also analyze login logs for anomalies to detect any successful breaches that may have occurred before or during the attack.