The first step in an investigation is to determine if this is indeed malicious behavior.
Reviewing the audit logs under
Monitor > Events > Container Audits
shows a pattern of behavior that is troubling.
A number of commands are being executed by Java, including a copy of the sensitive
/etc/passwd file.