CVE-2024-36401 Exploited in Stealthy Bandwidth-Monetization Campaign

A new report from Palo Alto Networks’ Unit 42 has shed light on an unusual and stealthy monetization campaign that exploits CVE-2024-36401, a critical remote code execution (RCE) vulnerability in GeoServer, to hijack server resources for passive income schemes.

Unit 42 researchers explained, “We have detected a campaign aimed at gaining access to victims’ machines and monetizing access to their bandwidth.” Rather than deploying ransomware or cryptominers, attackers are leveraging legitimate passive income SDKs and apps to quietly earn money from compromised systems.

These SDKs typically allow developers to monetize apps by sharing users’ internet bandwidth instead of displaying ads—a legitimate business model in some contexts. However, in this campaign, adversaries co-opted the same mechanism. “The applications we found in this malicious activity are nearly silent when operating. They consume minimal resources while monetizing victims’ internet bandwidth, and without creating or distributing malware.”

CVE-2024-36401, with a CVSS score of 9.8, affects GeoServer’s use of Apache Commons JXPath, which enables XPath queries across Java objects. According to Unit 42, “JXPath supports extension functionality, which an attacker can exploit if they gain control over the query statement, allowing them to execute arbitrary code. This poses a greater risk than typical query injection vulnerabilities.”

Exploits in the wild demonstrated the use of Java Runtime execution functions such as getRuntime().exec() to execute arbitrary commands. Attackers then deployed customized executables designed to silently integrate with passive income services.

The campaign began in early March 2025, with exploit attempts traced to the IP 108.251.152[.]209. From there, malicious payloads were distributed via servers such as 37.187.74[.]75. Unit 42 tracked the operation across three phases:

• Phase 1 – Initial Incursion (March 2025): Attackers delivered both a misused SDK and a misused app.
• Phase 2 – Shifting Tactics (Late March–Early April 2025): Focus shifted entirely to distributing the SDK, with infrastructure moving to new IPs like 185.246.84[.]189 to evade detection.
• Phase 3 – Infrastructure Expansion (Mid-April–Ongoing): Attackers added further distribution servers, including 64.226.112[.]52, while maintaining older ones to ensure resilience.

Interestingly, the attackers relied on self-hosted instances of Transfer.sh, a legitimate file-sharing service, to stage payloads—demonstrating their preference for blending malicious operations with normal internet infrastructure.

Unlike traditional malware campaigns that quickly drain resources, this operation favors persistence. As Unit 42 put it, “This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems. The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation.”

One technical highlight is the use of Dart, an open-source programming language rarely associated with malware. The report notes, “The attackers used Dart to integrate the passive income SDK and interact with its service… They leveraged this feature to compile the executable specifically for Linux system architectures.” This approach not only improves portability but also helps evade detection by security products tuned to more common malware languages.

With over 7,000 exposed GeoServer instances detected globally in March and April 2025, the attack surface is significant. China, the U.S., and several European countries top the list of hosting vulnerable servers.

As the report emphasizes, prompt patching is critical. Organizations running GeoServer should update to the latest secure version, monitor for unusual bandwidth usage, and audit exposed services.

Related Posts:

• Ongoing Attacks Exploit GeoServer RCE Flaw (CVE-2024-36401) to Install NetCat and XMRig CoinMiner
• CVE-2024-36401 (CVSS 9.8): Critical GeoServer Flaw Under Active Attack, PoC Available
• Android Malware Strikes: Fake Facebook & TikTok Apps Impersonate Brands for Traffic Monetization