GeoServer Exploits, PolarEdge, and Gayfemboy Push Cybercrime Beyond Traditional Botnets

“Let’s talk about how some campaigns around the world are facilitating various known security loopholes!”

Researchers studying cybersecurity are drawing attention to a number of initiatives that take advantage of well-known security flaws and expose Redis servers to a range of malevolent actions, such as using the hacked devices as residential proxies, IoT botnets, or cryptocurrency mining infrastructure.

 

CVE-2024-36401 (CVSS score: 9.8), a significant remote code execution vulnerability affecting OSGeo GeoServer GeoTools that has been used as a weapon in cyberattacks since late last year, is being exploited in the initial round of attacks.

Researchers, Networks Unit 42, Technical Report

“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report.   “This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.”   “Once running, the executable operates covertly in the background, monitoring device resources and illicitly sharing the victim’s bandwidth whenever possible,” Unit 42 said. “This generates passive income for the attacker.”   “This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems,” Unit 42 said.   “The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation. This approach favors long-term, low-profile revenue generation over easily detectable techniques.”

 

The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers.

 

Instead of using a traditional HTTP web server, the payloads are distributed using a private instance of a file-sharing server using transfer.sh. The campaign’s applications are designed to be undetectable by using the fewest resources possible and to profitably consume victims’ internet traffic without distributing malicious software.

 

Written in Dart, the binaries are made to communicate with reputable passive income businesses while covertly utilizing the device’s resources for things like bandwidth sharing. All sides benefit from the strategy: the hackers earn from unused bandwidth, utilizing a seemingly trouble-free connection that raises no red flags, and the application developers are compensated for incorporating the feature.

Over 7,100 publicly exposed GeoServer instances were found in 99 countries, according to telemetry data collected by the company. The top five countries were China, the United States, Germany, Great Britain, and Singapore.

The revelation comes as Censys described the infrastructure backbone that powers the massive IoT botnet known as PolarEdge, which exploits known security flaws to infiltrate consumer-oriented devices like routers, IP cameras, and VoIP phones, as well as enterprise-grade firewalls.

Although it is evident that the botnet is not being used for indiscriminate mass scanning, its precise function is yet unknown. A bespoke TLS backdoor based on Mbed TLS that enables encrypted command-and-control, log cleanup, and dynamic infrastructure updates is then dropped by abusing the original access.

The backdoor has frequently been seen installed on high, unusual ports, most likely to go over protective monitoring scope and conventional network checks. According to the attack surface management platform, PolarEdge demonstrates characteristics that are consistent with an Operational Relay Box (ORB) network. As of this month, there are approximately 40,000 active devices, suggesting that the campaign may have begun as early as June 2023.

 

South Korea, the United States, Hong Kong, Sweden, and Canada account for almost 70% of the illnesses.

Himaja Motheram, Security Researcher

“ORBs are compromised exit nodes that forward traffic to carry out additional compromises or attacks on behalf of threat actors,” security researcher Himaja Motheram said.   “What makes ORBs so valuable to attackers is that they don’t need to take over the device’s core function – they can quietly relay traffic in the background while the device continues to operate normally, making detection by the owner or ISP unlikely.”

 

The targeting scope may have expanded in recent months as bad actors have targeted vulnerabilities in products from companies like DrayTek, TP-Link, Raisecom, and Cisco in order to enter them and use a Mirai botnet variation nicknamed gayfemboy.

Fortinet

“The gayfemboy campaign spans multiple countries, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam,” Fortinet said. “Its targets also cover a broad range of sectors, such as manufacturing, technology, construction, and media or communications.”

 

The system architectures that Gayfemboy can target include ARM, AArch64, MIPS R3000, PowerPC, and Intel 80386. It consists of four main functions:

• Monitor, which tracks threads and processes while incorporating persistence and sandbox evasion techniques
• Watchdog, which attempts to bind to UDP port 47272
• An attacker, which launches DDoS attacks using UDP, TCP, and ICMP protocols, and enables backdoor access by connecting to a remote server to receive commands
• Killer, which terminates itself if it receives a command from the server or detects sandbox manipulation

Vincent Li, Security Researcher

“While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection,” security researcher Vincent Li said.   “This evolution reflects the increasing sophistication of modern malware and reinforces the need for proactive, intelligence-driven defense strategies.”

 

The results also align with a cryptojacking campaign by a threat actor known as TA-NATALSTATUS, which targets vulnerable Redis servers to provide cryptocurrency miners. To launch a malicious cron job that is intended to run a shell script that disables SELinux, executes defense evasion steps, blocks external connections to the Redis port to prevent rival actors from using the initial access pathway to get in, and ends competing mining processes (e.g., Kinsing), the attack basically entails scanning for unauthenticated Redis servers on port 6379 and then issuing legitimate CONFIG, SET, and SAVE commands.

Scripts that install tools like masscan or pnscan and run commands like “masscan –shard” to search the internet for vulnerable Redis instances are also deployed. The next step is to start the mining operation and set up persistence using an hourly cron job.

CloudSEK, Cybersecurity Firm

Cybersecurity firm CloudSEK said the activity is an evolution of an attack campaign disclosed by Trend Micro in April 2020, packing in new features to accommodate rootkit-like features to hide malicious processes and alter the timestamps of their files to fool forensic analysis.

Abhishek Mathew, Researcher

“By renaming system binaries like ps and top to ps.original and replacing them with malicious wrappers, they filter their own malware (httpgd) out of the output. An admin looking for the miner won’t see it using standard tools,” researcher Abhishek Mathew said.   “They rename curl and wget to cd1 and wd1. This is a simple but brilliant method to bypass security products that monitor for malicious downloads specifically initiated by these common tool names.”

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Read More:

Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks

About Author