This stealthy operation, active since March 2025, represents a significant evolution in how adversaries exploit compromised systems for financial gain.
The attackers are exploiting CVE-2024-36401, a critical remote code execution vulnerability in GeoServer geospatial databases with a CVSS score of 9.8.
This vulnerability is now listed in CISA’s Known Exploited Vulnerabilities Catalog, highlighting its severity and active exploitation in the wild.
The vulnerability stems from JXPath query statement injection, where attackers can execute arbitrary code through extension functionality. Specifically, threat actors leverage Standard Extension Functions to invoke methods like getRuntime().exec(), enabling remote code execution on target systems.
The vulnerability affects various Web Feature Service (WFS), Web Map Service (WMS), and Web Processing Service (WPS) requests, including GetFeature, GetPropertyValue, and Execute requests.
Cortex Xpanse telemetry revealed over 7,000 publicly exposed GeoServer instances across 99 countries, with the majority hosted in China. In the first week of May 2025 alone, 3,706 publicly accessible GeoServers were identified, representing a substantial attack surface.
The campaign’s primary objective involves deploying legitimate software development kits (SDKs) and modified applications that generate passive income by sharing victims’ network resources through residential proxies.
This approach mimics legitimate monetization strategies used by app developers who prefer SDKs over traditional advertising methods.
The attackers have demonstrated sophisticated tactics across three distinct phases. Initial attacks in March 2025 originated from IP address 108.251.152[.]209, distributing customized executables from 37.187.74[.]75.
When security vendors flagged this infrastructure as malicious on March 24, the threat actors quickly pivoted to new infrastructure at 185.246.84[.]189 and later expanded to 64.226.112[.]52.
The malicious payloads operate with minimal system resource consumption, making detection challenging. Instead of traditional malware distribution, attackers deployed private instances of transfer.sh file-sharing servers to host their payloads.
The executables, compiled using Dart programming language for cross-platform compatibility, interact with legitimate passive income services to monetize victims’ bandwidth.
The attack chain involves a two-stage exploitation process. Stage one leverages CVE-2024-36401 to download second-stage payloads, which are then executed through the same vulnerability.
Analysis reveals attackers use both misused legitimate SDKs and modified applications, with binary comparison confirming identical files to official vendor versions.
Organizations should immediately patch GeoServer instances and implement network monitoring for suspicious outbound connections.
Advanced threat prevention systems can detect exploit traffic in real-time, while endpoint detection solutions should monitor for unusual bandwidth consumption patterns indicative of this stealthy monetization scheme.
| SHA256 Hash of the File | URL Contacted by the File |
| 89f5e7d66098ae736c39eb36123adcf55851268973e6614c67e3589e73451b24 | hxxp://37.187.74[.]75:8080/w1wOYGVLEX/a101 |
| 6db4b685f413a3e02113677eee10a29c7406414f7f4da611f31d13e3f595f85d | hxxp://37.187.74[.]75:8080/IyxzymKCp2/a102 |
| 4e4a467abe1478240cd34a1deaef019172b7834ad57d46f89a7c6c357f066fdb | hxxp://37.187.74[.]75:8080/cE58oqrYGO/a193 |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Hijacked Connections – How Cybercriminals Profit from Your Bandwidth appeared first on Cyber Security News.
Resident Evil Requiem has now sold six million copies, making it the fastest-selling instalment of…
The director and mastermind of Hulu's Buffy the Vampire Slayer continuation has said she's "not…
BIG COUNTRY, Texas (KTAB/KRBC) - Diana Luna, the Democratic candidate for Texas House District 71,…
March 15, 2026 Get this: SiouxFalls.Business has existed as a digital product about three times…
March 15, 2026 Get this: SiouxFalls.Business has existed as a digital product about three times…
If you’ve fallen out of the habit of reading books, you’re certainly not alone. Consider…
This website uses cookies.