Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure.
The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year.
“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report.
“This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.”
The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers. The payloads are distributed via a private instance of a file-sharing server using transfer.sh, as opposed to a conventional HTTP web server.
The applications used in the campaign aim to fly under the radar by consuming minimal resources, while stealthily monetizing victims’ internet bandwidth without the need for distributing custom malware. The binaries, written in Dart, are designed to interact with legitimate passive income services, discreetly using the device resources for activities like bandwidth sharing.
The approach is a win-win situation for all parties involved, as developers of the applications receive payments in exchange for integrating the feature, and the cybercriminals get to profit off unused bandwidth using a seemingly innocuous channel that doesn’t raise any red flags.
“Once running, the executable operates covertly in the background, monitoring device resources and illicitly sharing the victim’s bandwidth whenever possible,” Unit 42 said. “This generates passive income for the attacker.”
Telemetry data gathered by the company shows that there were over 7,100 publicly exposed GeoServer instances across 99 countries, with China, the United States, Germany, Great Britain, and Singapore taking the top five spots.
“This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems,” Unit 42 said. “The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation. This approach favors long-term, low-profile revenue generation over easily detectable techniques.”
The disclosure comes as Censys detailed the infrastructural backbone powering a large-scale IoT botnet called PolarEdge that comprises enterprise-grade firewalls and consumer-oriented devices like routers, IP cameras, and VoIP phones by taking advantage of known security vulnerabilities. Its exact purpose is currently not known, although it’s clear that the botnet isn’t being used for indiscriminate mass scanning.
The initial access is then abused to drop a custom TLS backdoor based on Mbed TLS that facilitates encrypted command-and-control, log cleanup, and dynamic infrastructure updates. The backdoor has been commonly observed deployed on high, non-standard ports, likely as a way to bypass traditional network scans and defensive monitoring scope.
PolarEdge exhibits traits that align with an Operational Relay Box (ORB) network, with the attack surface management platform stating there are indications that the campaign started as far back as June 2023, reaching about 40,000 active devices as of this month. More than 70% of the infections are scattered across South Korea, the United States, Hong Kong, Sweden, and Canada.
“ORBs are compromised exit nodes that forward traffic in order to carry out additional compromises or attacks on behalf of threat actors,” security researcher Himaja Motheram said. “What makes ORBs so valuable to attackers is that they don’t need to take over the device’s core function – they can quietly relay traffic in the background while the device continues to operate normally, making detection by the owner or ISP unlikely.”
In recent months, vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco have been targeted by bad actors to infiltrate them and deploy a Mirai botnet variant codenamed gayfemboy, suggesting an expansion of the targeting scope.
“The gayfemboy campaign spans multiple countries, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam,” Fortinet said. “Its targets also cover a broad range of sectors, such as manufacturing, technology, construction, and media or communications.”
Gayfemboy is capable of targeting various system architectures, including ARM, AArch64, MIPS R3000, PowerPC, and Intel 80386. It incorporates four primary functions –
- Monitor, which tracks threads and processes while incorporating persistence and sandbox evasion techniques
- Watchdog, which attempts to bind to UDP port 47272
- Attacker, which launches DDoS attacks using UDP, TCP, and ICMP protocols, and enables backdoor access by connecting to a remote server to receive commands
- Killer, which terminates itself if it receives the command from the server or detects sandbox manipulation
“While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection,” security researcher Vincent Li said. “This evolution reflects the increasing sophistication of modern malware and reinforces the need for proactive, intelligence-driven defense strategies.”
The findings also coincide with a cryptojacking campaign undertaken by a threat actor dubbed TA-NATALSTATUS that’s targeting exposed Redis servers to deliver cryptocurrency miners.
The attack essentially involves scanning for unauthenticated Redis servers on port 6379, followed by issuing legitimate CONFIG, SET, and SAVE commands to execute a malicious cron job that’s designed to run a shell script that disables SELinux, performs defense evasion steps, block external connections to the Redis port in order to prevent rival actors from using the initial access pathway to get in, and terminate competing mining processes (e.g., Kinsing).
Also deployed are scripts to install tools like masscan or pnscan, and then launching commands like “masscan –shard” to scan the internet for susceptible Redis instances. The last step involves setting up persistence via an hourly cron job and kicking off the mining process.
Cybersecurity firm CloudSEK said the activity is an evolution of an attack campaign disclosed by Trend Micro in April 2020, packing in new features to accommodate rootkit-like features to hide malicious processes and alter the timestamps of their files to fool forensic analysis.
“By renaming system binaries like ps and top to ps.original and replacing them with malicious wrappers, they filter their own malware (httpgd) out of the output. An admin looking for the miner won’t see it using standard tools,” researcher Abhishek Mathew said. “They rename curl and wget to cd1 and wd1. This is a simple but brilliant method to bypass security products that monitor for malicious downloads specifically initiated by these common tool names.”
