A stealthy campaign emerged in early March 2025 that capitalized on a critical remote code execution flaw in GeoServer (CVE-2024-36401) to compromise publicly exposed geospatial servers.
Attackers exploited JXPath query injection within Apache Commons libraries, allowing arbitrary code execution through crafted XML requests.
This vector enabled the silent deployment of customized executables that leveraged legitimate passive-income software development kits (SDKs) and applications, effectively turning victim networks into illicit proxy farms.
Within days of the initial wave, Palo Alto Networks analysts noted a significant surge in probing activity against vulnerable GeoServer instances.
.webp "Threat Actors Gaining Access to Victims’ Machines and Monetizing Access to Their Bandwidth 3")
Cortex Xpanse telemetry revealed over 3,700 publicly accessible servers in the first week of May 2025 alone, underscoring the vast attack surface available to threat actors.
These adversaries moved quickly to evade detection, rotating distribution IPs from 37.187.74[.]75 to 185.246.84[.]189 and expanding backend infrastructure to include a transfer.sh-style file-sharing service on port 8080.
The monetization strategy behind this campaign favored long-term stealth over rapid resource consumption.
Rather than deploying noisy cryptocurrency miners, attackers delivered two core payloads: a misused SDK that silently aggregated bandwidth-sharing sessions across infected hosts, and a misused application that created hidden directories and launched executables with minimal resource footprints.
Both payloads mimicked legitimate passive-income services, making them difficult to detect through signature-based defenses.
Victims remained unaware as their machines quietly forwarded web traffic or participated in residential proxy networks.
By integrating genuine Dart-compiled binaries, the attackers exploited cross-platform capabilities to target Linux servers and bypass detection signatures tuned for more common malware languages.
Indicators of compromise included connections to hxxp://37.187.74[.]75:8080 and hxxp://64.226.112[.]52:8080, where stage-one scripts such as z593 fetched additional stagers.
Infection Mechanism Deep Dive
One of the most insidious aspects of this campaign lies in its exploitation of JXPath’s extension functions.
Upon receiving a crafted GetPropertyValue request, GeoServer’s property accessor mechanism passed an attacker-controlled expression into the iteratePointers method.
This payload then invoked the javax.lang.Runtime.exec function, triggering remote command execution.
.webp "Threat Actors Gaining Access to Victims’ Machines and Monetizing Access to Their Bandwidth 4")
A snippet illustrating this injection follows:
Upon successful execution, z593 acted as a stager, creating a hidden folder under /var/tmp/.cache and fetching two additional payloads: z401, which established the execution environment, and z402, which launched the main executable with an embedded SDK key.
.webp "Threat Actors Gaining Access to Victims’ Machines and Monetizing Access to Their Bandwidth 5")
By chaining these stages, the attackers achieved persistence and ensured that bandwidth-sharing processes resumed automatically on reboot.
Through this meticulous, multi-stage approach, threat actors have demonstrated how leveraging legitimate SDKs and file-sharing services can facilitate undetected monetization of network resources.
Security teams are urged to apply GeoServer patches immediately, monitor outbound connections to known malicious IPs, and deploy behavioral analytics capable of identifying anomalous JXPath queries to thwart similar campaigns.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
