Tencent Security Threat Intelligence Center detected that many enterprise management systems were hacked and mined. These systems were built using the vulnerable version of JBoss. When a hacker controls server mining, the CPU usage is close to 100%, which causes a serious decrease in system performance and greatly affects the normal business of the enterprise. The attacker used multiple versions of the RedHat Jboss Application Service Platform 4.X, 5.X, and 6.X deserialization vulnerabilities, numbered CVE-2017-7504, CVE-2015-7501, and the hacker used a carefully constructed EXP Attacks can lead to remote code execution. The vulnerable JBoss version builds a background management system, which will be hacked to exploit the vulnerability. After the payload is successfully executed, Payload executes the Powershell script to download the mining Trojan xnote.exe and perform a persistent attack by installing a scheduled task.