Not to mention that C and C++ are the most stable platforms. Air traffic control, railways control, medical software, road traffic control, everything is written in C++ because you can’t afford a crash.

No C is more powerfull

If you’re trying to hack a jvm, then, sure.

While I think it’s possible – One of the features of Java is that it was explicitly created to run inside a virtual machine and advertised to the user as being “safe” because it never touches your actual machine.

So it would be difficult, but technically, Java can get a hold of your built in OS hooks with the right permissions, so if you could figure out some method of privilege escalation you could use those to manipulate the OS (but it would be pretty limited). As far as loading it’s own payload, technically Java is not supposed to be able access any memory outside of the virtual machine, but you *could* use Java to run a script or a C program to then load a payload. Its probably not worth it though, because if you’re going to use C for part of it, you might as well use C for all of it.

You could use Java to run some really low key malware – like to pop launch popups or something disruptive, but it would be easy to kill by simply destroying the JVM. And you couldn’t really use it to do something like use up a lot of memory, because the JVM won’t let you. You could use it to create a bot net – but again, it would be really easy to root out and squash.

I wouldn’t choose Java to write malware, unless I just really wanted a challenge. Like – can you eat soup with a fork? Probably, if you try really hard, but nobody would choose to.

Java code needs an interpreter to run the application, so your target needs to have java installed and universally available to any user or application. Then you need to somehow actually load and run the bytecode – which maybe blocked by an updated java runtime.

c/cpp can be compiled into a 10kb executable or a library that when placed into certain directories is run automatically without the need of any additional software – and most of the code (unless you depend on Win32/COM/posix specific vulnerabilities) can be compiled to any ISA or platform.

So in the end you can have universal code, with an even smaller platform specific payload 🙂

Java has the benefit of cross-platform compatibility and better code obfuscation, however your attack vector is more narrow. Any browser worth its salt avoids downloading . jar, and in most cases a user has to go back in and mark the jar file as executable. You can bypass these of course, but for some its easier to target windows with Call based stuff, as you get the most results.

With any sort of attack, you have to ask what your attack vector and goal is. If you are targeting a niche field, you likely will get fewer results, but with better quality in the results. Great for attacking specific things.
Or there is a wider vector, with lower quality results.

Java is interesting to play with. It’s not like taboo to use, just most attacks go for the wider net.

Of course what you do is your own discretion and risk, but I hope maybe my response gave you some insight. Happy Hacking!