Cybersecurity researchers are bringing attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to a variety of malicious activities.
The first set of attacks involves the use of CVE-2024-36401 (CVSS score: 9.8). This is a critical remote code execution vulnerability affecting OSGEO Geoserver Geotools, which has been weaponized in cyber attacks since the second half of last year.
“Criminals use vulnerabilities to deploy legitimate software development kits (SDKs) or fix apps to earn passive income through network shares or residential proxy,” said Zibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang, a researcher of 42 Palo Alto Networks, in a technical report.
“This method of generating passive income is particularly stealth. It mimics the monetization strategy used by legitimate app developers who choose SDKs instead of displaying traditional ads. This is an intentional choice that protects the user experience and improves app retention.”
The cybersecurity company said that attackers have been investigating geoserver instances exposed to the internet since at least early March 2025, and are leveraging access to remove customized executables from hostile servers. The payload is distributed via a private instance of a file sharing server using Transf.Sh, as opposed to a traditional HTTP web server.
The applications used in the campaign are intended to fly under the radar with minimal resources intensiveness, but are intended to secretly monetize victims’ internet bandwidth without the need to distribute custom malware. The binary written in DART is designed to interact with legitimate passive revenue services, and uses device resources carefully for activities such as bandwidth sharing.
This approach is advantageous for all involved parties as application developers are paid in exchange for feature integration and cybercriminals benefit from unused bandwidth using seemingly harmless channels that don’t raise the red flag.
“Once it is run, the executable secretly works in the background, monitoring the resources of the device and illegally share the victim’s bandwidth whenever possible,” Unit 42 said. “This creates passive income for the attacker.”
Telemetry data collected by the company shows that there are over 7,100 publicly exposed geoserver instances in 99 countries, with China, the US, Germany, the UK and Singapore winning the top five spots.
“This ongoing campaign illustrates a significant evolution in how enemies monetize compromised systems,” Unit 42 said. “The attacker’s core strategy focuses on stealth and sustained monetization rather than aggressive resource exploitation. This approach supports long-term, modest revenue generation over easily detectable technologies.”
Disclosures come when we exploit known security vulnerabilities to elaborate in detail the backbone of the infrastructure that powers a large IoT botnet called Polardege, including enterprise-grade firewalls and routers, IP cameras, and VoIP phones. Its exact purpose is currently unknown, but it is clear that botnets are not used for indiscriminate mass scans.
The initial access is then abused and drops a custom TLS backdoor based on MBED TLS that promotes encrypted command and control, log cleanup and dynamic infrastructure updates. Backdoors are commonly deployed on high standard ports, perhaps as a way to bypass traditional network scanning and defensive monitoring ranges.
Polarradege shows characteristics tailored to the operational relay box (ORB) network, with the attack surface management platform showing that the campaign started back to June 2023, reaching around 40,000 active devices as of this month. Over 70% of infectious diseases are scattered across South Korea, the United States, Hong Kong, Sweden and Canada.
“Orbs are compromised exit nodes that forward traffic to carry out additional compromises or attacks on behalf of threat actors,” said security researcher Himaha Mamam. “What makes orbs so valuable to attackers is that they don’t have to take over the core functions of the device. While the device continues to work properly, you can quietly relay traffic in the background, with little detection by the owner or ISP.”
Over the past few months, vulnerabilities in vendors like Draytek, TP-Link, Raisecom, and Cisco have permeated bad actors and are being targeted to deploy the Mirai Botnet variant codename Gayfemboy, suggesting an expansion of the target range.
“The Gay Fenboy Campaign spans multiple countries, including Brazil, Mexico, the US, Germany, France, Switzerland, Israel and Vietnam,” Fortinet said. “Their goals also cover a wide range of sectors, including manufacturing, technology, construction, media and communications.”
GayFemboy can target a variety of system architectures, including ARM, AARCH64, MIPS R3000, PowerPC, and Intel 80386. It has four main features built into it.
Monitoring. Track threads and processes while incorporating Persistence and Sandbox Evasion Techniques Watchdog. This attempts to bind to the UDP port 47272 attacker. This uses UDP, TCP and ICMP protocols to launch a DDOS attack, allowing backdoor access by connecting to a remote server, and backdoor access by using a remote server if you are receiving commands, if you are receiving Commands Killise.
“Gayfemboy inherits the structural elements of Mirai, but introduces notable changes that enhance both the complexity and the ability to avoid detection,” said security researcher Vincent Li. “This evolution reflects the increasing sophistication of modern malware and reinforces the need for a proactive, intelligence-driven defense strategy.”
The findings also coincide with a cryptojacking campaign carried out by a threat actor called Ta-Natalstatus, which targets exposed Redis servers to deliver cryptocurrency miners.
The attack essentially involves scanning an unauthorized Redis server on port 6379, then issues legitimate configuration, set and save commands to disable Selinux, perform defense evasion, block external connections to the Redis port, and block external connections to the Redis port to prevent rival access from using conflicting conflict arrivals.
It also deploys scripts to install tools such as Masscan and PNSCAN, then invokes a command such as “Masscan -Shard” to scan the internet for sensitive Redis instances. The final step is to set up persistence via hourly Cron jobs and start the mining process.
Cybersecurity company CloudSek said the activity was an evolution of an attack campaign revealed by Trend Micro in April 2020, packing new features to accommodate features like rootkit to hide malicious processes and modify file timestamps to deceive forensic analysis.
“By renaming binaries for systems like PS and Top to Ps.original and replacing them with malicious wrappers, they filter their malware (HTTPGD) from the output. Administrators looking for minors don’t see it using standard tools,” researcher Abhishek Mathew said. “They rename Curl and Wget to CD1 and WD1. This is a simple but great way to bypass security products that monitor malicious downloads that have been launched specifically by these common tool names.”
Source link
