In March 2025, a covert cyber campaign emerged, exploiting a critical remote code execution vulnerability in GeoServer (CVE-2024-36401) to infiltrate publicly accessible geospatial servers. Attackers leveraged JXPath query injection within Apache Commons libraries, enabling arbitrary code execution through specially crafted XML requests. This method facilitated the deployment of customized executables that utilized legitimate passive-income software development kits (SDKs) and applications, effectively transforming compromised networks into unauthorized proxy farms.
Shortly after the initial attacks, analysts from Palo Alto Networks observed a significant increase in probing activities targeting vulnerable GeoServer instances. Cortex Xpanse telemetry identified over 3,700 publicly accessible servers in the first week of May 2025 alone, highlighting the extensive attack surface available to cybercriminals. To evade detection, these adversaries frequently changed distribution IP addresses—from 37.187.74[.]75 to 185.246.84[.]189—and expanded their backend infrastructure to include a file-sharing service on port 8080, similar to transfer.sh.
The attackers’ monetization strategy prioritized long-term stealth over immediate resource exploitation. Instead of deploying conspicuous cryptocurrency miners, they introduced two primary payloads:
1. Misused SDK: This component silently aggregated bandwidth-sharing sessions across infected hosts.
2. Misused Application: This element created hidden directories and launched executables with minimal resource footprints.
Both payloads mimicked legitimate passive-income services, making detection through signature-based defenses challenging. Consequently, victims remained unaware as their machines covertly forwarded web traffic or participated in residential proxy networks.
By incorporating genuine Dart-compiled binaries, the attackers exploited cross-platform capabilities to target Linux servers and circumvent detection signatures tailored for more common malware languages. Indicators of compromise included connections to hxxp://37.187.74[.]75:8080 and hxxp://64.226.112[.]52:8080, where initial scripts like `z593` retrieved additional stages.
Infection Mechanism Deep Dive
A particularly insidious aspect of this campaign was its exploitation of JXPath’s extension functions. Upon receiving a crafted GetPropertyValue request, GeoServer’s property accessor mechanism processed an attacker-controlled expression within the `iteratePointers` method. This payload invoked the `javax.lang.Runtime.exec` function, leading to remote command execution.
An example of this injection is as follows:
“`xml
“`
Upon execution, `z593` acted as a stager, creating a hidden folder under `/var/tmp/.cache` and fetching two additional payloads:
– `z401`: Established the execution environment.
– `z402`: Launched the main executable with an embedded SDK key.
By chaining these stages, the attackers achieved persistence, ensuring that bandwidth-sharing processes resumed automatically upon system reboot. This meticulous, multi-stage approach demonstrates how leveraging legitimate SDKs and file-sharing services can facilitate undetected monetization of network resources.
Recommendations for Mitigation
To counteract such sophisticated attacks, security teams are advised to:
1. Apply GeoServer Patches Promptly: Ensure that all GeoServer instances are updated to the latest versions to mitigate known vulnerabilities.
2. Monitor Outbound Connections: Keep an eye on connections to known malicious IP addresses to detect potential compromises.
3. Deploy Behavioral Analytics: Implement systems capable of identifying anomalous JXPath queries and other suspicious activities to thwart similar campaigns.
By adopting these measures, organizations can enhance their defenses against such covert and persistent cyber threats.
