Z0Miner struck last year when Tencent Security tracked the malware exploiting two WebLogic pre-auth RCE bugs tracked as CVE-2020-14882 and CVE-2020-14883. At the time, the team of security analysts estimated the miner compromised around 5,000 servers by sending "carefully constructed data packets" to the vulnerable systems. The malware also moved laterally via SSH. Before that, Oracle had already issued a security bulletin warning of vulnerabilities in WebLogic components. At the time, research from cyber security company Rapid7 said the flaw was “trivial to exploit.” Researchers said the malware has since changed to look for and infect systems by exploiting remote command execution vulnerabilities in Elasticsearch and Jenkins.