Attackers exploit CVE-2024-36401 (CVSS 9.8) in OSGeo GeoServer GeoTools to achieve remote code execution and deploy payloads. Attackers probe GeoServer instances exposed to the internet and drop customized executables from adversary-controlled servers. Payloads are distributed via a private file-sharing instance using transfer.sh rather than conventional HTTP servers. The applications use minimal resources and interact with legitimate passive-income services to monetize victims' bandwidth for network sharing or residential proxies. Exposed Redis servers are abused to assemble IoT botnets, proxy networks, and cryptocurrency mining infrastructure. Operators prioritize stealthy, low-resource monetization over overt malware.
Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure.
The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers. The payloads are distributed via a private instance of a file-sharing server using transfer.sh, as opposed to a conventional HTTP web server. The applications used in the campaign aim to fly under the radar by consuming minimal resources, while stealthily monetizing victims' internet bandwidth without the need for distributing custom malware.
Collection
[
|
...
]