US University Targeted by Androxgh0st Botnet Operators for C2 Logger Hosting
CloudSEK’s TRIAD team has made the shocking discovery that the Androxgh0st botnet is a persistent and dynamic cyberthreat.
It has targeted a subdomain of the University of California, San Diego, specifically the “USArhythms” portal associated with the USA Basketball Men’s U19 National Team for the 2025 FIBA Under-19 Basketball World Cup, to host its command-and-control (C2) logger panels.
This marks a significant escalation in the botnet’s tactics, exploiting trusted academic domains to mask malicious activities.
Sophisticated Cyber Threat
Since its early operations in 2023, Androxgh0st has expanded its arsenal, weaponizing over 20 vulnerabilities and employing a 50% increase in initial access vectors (IAVs) since CloudSEK’s last report.
The botnet targets a range of platforms, including Apache Shiro, Spring Framework (via the critical Spring4Shell CVE-2022-22965), WordPress plugins like “Popup Maker” (CVE-2019-17574), and IoT devices such as Lantronix PremierWave (CVE-2021-21881), to execute remote code, steal sensitive data, and deploy cryptomining payloads.
The technical sophistication of Androxgh0st is evident in its exploitation methods, which include Java Naming and Directory Interface (JNDI) injections in Apache Shiro and FasterXML jackson-databind, Unix command injections to disclose sensitive files like /etc/passwd, and complex Object-Graph Navigation Language (OGNL) payloads against Apache Struts.
Advanced Exploitation Techniques
Additionally, the botnet leverages webshells such as abuok.php (using hex2bin and eval for obfuscated code execution) and myabu.php (employing ROT13 obfuscation) to maintain persistent access and facilitate further malware deployment.
CloudSEK’s analysis also points to cryptomining activities, with JSON-RPC requests like “getwork” and “eth_getWork” indicating the repurposing of compromised systems for illicit cryptocurrency mining.
The misuse of academic infrastructure not only risks data breaches and regulatory exposure but also tarnishes the reputation of trusted institutions.
Mitigation strategies include patching known CVEs, restricting outbound JNDI and RMI traffic, and deploying Web Application Firewalls (WAFs) alongside regular audits for suspicious PHP files.
CloudSEK has provided YARA rules to detect webshell variants and urges organizations to monitor for indicators of compromise (IOCs) such as beaconing to domains like oast.me and oast.fun.
Indicators of Compromise (IOCs)
| Indicator | Type | Comments |
|---|---|---|
| cv032vemsb87jtt2p11g5h8xztka6kruj[.]oast[.]me | Subdomain | Lantronix WLANScanSSID Command Injection |
| cj7409i4t88ukb0publgjtkyt534mnrby[.]oast[.]live | Subdomain | Spring4Shell |
| cv032vemsb87jtt2p11gwf68p1xw7rgtk[.]oast[.]me | Subdomain | Fastjson-v1.2.47 RCE |
| chke3769l5m6jbj8hq90fu71kckky5x63[.]oast[.]fun | Subdomain | Apache Shiro, FasterXML jackson-databind |
| 185.172.128[.]93 | IP Address | CVE-2024-4577 |
| 9e1fb14b747b5bdaf817845007a47752 | MD5 Hash | Webshell (abuok.php) |
| d6efe92ca18570f940a720e51af77f72 | MD5 Hash | Webshell (myabu.php) |
| f65749ddf93e890b48b3bde77b1302aa | MD5 Hash | Webshell (scwj.php) |
| 5a12416857547341493b436299e9b886 | MD5 Hash | Webshell (baocun.php) |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
