Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure.
The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year.
“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report.
“This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.”
The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers. The payloads are distributed via a private instance of a file-sharing server using transfer.sh, as opposed to a conventional HTTP web server.
The applications used in the campaign aim to fly under the radar by consuming minimal resources, while stealthily monetizing victims’ internet bandwidth without the need for distributing custom malware. The binaries, written in Dart, are designed to interact with legitimate passive income services, discreetly using the device resources for activities like bandwidth sharing.
The approach is a win-win situation for all parties involved, as developers of the applications receive payments in exchange for integrating the feature, and the cybercriminals get to profit off unused bandwidth using a seemingly innocuous channel that doesn’t raise any red flags.
“Once running, the executable operates covertly in the background, monitoring device resources and illicitly sharing the victim’s bandwidth whenever possible,” Unit 42 said. “This generates passive income for the attacker.”
Telemetry data gathered by the company shows that there were over 7,100 publicly exposed GeoServer instances across 99 countries, with China, the United States, Germany, Great Britain, and Singapore taking the top five spots.
“This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems,” Unit 42 said. “The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation. This approach favors long-term, low-profile revenue generation over easily detectable techniques.”
The disclosure comes as Censys detailed the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
