Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
Summary:
In early March 2025, threat actors began actively exploiting CVE-2024-36401, a critical remote code execution vulnerability in the GeoServer geospatial database with a CVSS score of 9.8, to gain covert access to victim environments. Rather than deploying traditional malware or ransomware, the attackers focus on stealthy monetization by installing legitimate, but misused, applications and software development kits that repurpose victims’ internet bandwidth for passive income. This strategy mirrors monetization methods sometimes used by legitimate developers, but in this case it is weaponized to generate profit through residential proxy networks and bandwidth-sharing schemes, allowing the actors to operate quietly and with reduced risk of detection. The malicious applications are designed to run nearly silently, consuming minimal resources while diverting internet traffic in ways that remain difficult to identify or classify as malicious.
The campaign has evolved across multiple phases. Attackers began exploiting CVE-2024-36401 to deliver both misused apps and SDK payloads from attacker-controlled infrastructure, with samples designated as a193, d193, e193 for the apps and a593, c593, d593, s593, and z593 for SDK variants. By late March, as the security community flagged their original infrastructure as malicious, the adversaries shifted tactics by abandoning app distribution in favor of SDK-only deployment and migrating to new IP addresses to avoid blocklists. In April, the campaign expanded again, adding more backend infrastructure and additional distribution hosts, some using transfer.sh file-sharing servers to push payloads in a staged sequence. Each payload was designed for persistence, creating hidden directories and launching executables that blended into legitimate processes.
The attack abuses JXPath, a component of the Apache Commons project, to achieve arbitrary code execution. By injecting commands into JXPath query statements, attackers can invoke dangerous functions such as Runtime.getRuntime().exec() to execute system-level commands.
Security Officer Comments:
Exploit payloads observed in the wild show that attackers leveraged this injection capability to download secondary payloads and launch executables from attacker-controlled servers. Telemetry from Cortex Xpanse revealed more than 7,000 publicly exposed GeoServer instances worldwide, with the highest concentration in China, followed by the U.S., Germany, Great Britain, and Singapore. Unlike cryptojacking campaigns that aggressively consume system resources, this operation prioritizes subtlety and longevity. By exploiting legitimate SDKs, some even unmodified from the vendor’s own site, the attackers can bypass traditional endpoint detection and remain undetected for extended periods. They also adopted the Dart programming language for their executables, likely for cross-platform compatibility on Linux systems and to further reduce detection risk given that Dart is less commonly associated with malicious tooling. This focus on low-profile, persistent monetization underscores a shift in adversary behavior toward strategies that exploit legitimate business models for malicious gain.
Suggested Corrections:
Patch and Update: Immediately apply security patches for GeoServer addressing CVE-2024-36401, and ensure all related Apache Commons components (like JXPath) are fully updated.
Reduce Exposure: Restrict public internet access to GeoServer instances by placing them behind VPNs, firewalls, or access gateways, and only allow trusted networks to communicate with them.
Apply WAF Rules: Deploy web application firewall signatures to detect and block suspicious WFS/WMS/WPS requests that may contain JXPath payloads or command injection attempts.
Monitor for Abnormal SDK/Process Activity: Watch for unusual network usage, hidden directories, or executables tied to SDK-like behavior that could indicate passive bandwidth monetization schemes.
Threat Detection & Response: Enable EDR/XDR solutions to detect post-exploitation persistence, hidden executables, or anomalous outbound connections to suspicious IPs or transfer.sh instances.
Harden Configurations: Disable unnecessary GeoServer services if not required, and limit administrative functions to secure, authenticated channels.
Incident Preparedness: Establish a response plan to quickly isolate affected servers, remove malicious payloads, and rotate credentials in the event of suspected compromise.
Link(s):
https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdks/
In early March 2025, threat actors began actively exploiting CVE-2024-36401, a critical remote code execution vulnerability in the GeoServer geospatial database with a CVSS score of 9.8, to gain covert access to victim environments. Rather than deploying traditional malware or ransomware, the attackers focus on stealthy monetization by installing legitimate, but misused, applications and software development kits that repurpose victims’ internet bandwidth for passive income. This strategy mirrors monetization methods sometimes used by legitimate developers, but in this case it is weaponized to generate profit through residential proxy networks and bandwidth-sharing schemes, allowing the actors to operate quietly and with reduced risk of detection. The malicious applications are designed to run nearly silently, consuming minimal resources while diverting internet traffic in ways that remain difficult to identify or classify as malicious.
The campaign has evolved across multiple phases. Attackers began exploiting CVE-2024-36401 to deliver both misused apps and SDK payloads from attacker-controlled infrastructure, with samples designated as a193, d193, e193 for the apps and a593, c593, d593, s593, and z593 for SDK variants. By late March, as the security community flagged their original infrastructure as malicious, the adversaries shifted tactics by abandoning app distribution in favor of SDK-only deployment and migrating to new IP addresses to avoid blocklists. In April, the campaign expanded again, adding more backend infrastructure and additional distribution hosts, some using transfer.sh file-sharing servers to push payloads in a staged sequence. Each payload was designed for persistence, creating hidden directories and launching executables that blended into legitimate processes.
The attack abuses JXPath, a component of the Apache Commons project, to achieve arbitrary code execution. By injecting commands into JXPath query statements, attackers can invoke dangerous functions such as Runtime.getRuntime().exec() to execute system-level commands.
Security Officer Comments:
Exploit payloads observed in the wild show that attackers leveraged this injection capability to download secondary payloads and launch executables from attacker-controlled servers. Telemetry from Cortex Xpanse revealed more than 7,000 publicly exposed GeoServer instances worldwide, with the highest concentration in China, followed by the U.S., Germany, Great Britain, and Singapore. Unlike cryptojacking campaigns that aggressively consume system resources, this operation prioritizes subtlety and longevity. By exploiting legitimate SDKs, some even unmodified from the vendor’s own site, the attackers can bypass traditional endpoint detection and remain undetected for extended periods. They also adopted the Dart programming language for their executables, likely for cross-platform compatibility on Linux systems and to further reduce detection risk given that Dart is less commonly associated with malicious tooling. This focus on low-profile, persistent monetization underscores a shift in adversary behavior toward strategies that exploit legitimate business models for malicious gain.
Suggested Corrections:
Patch and Update: Immediately apply security patches for GeoServer addressing CVE-2024-36401, and ensure all related Apache Commons components (like JXPath) are fully updated.
Reduce Exposure: Restrict public internet access to GeoServer instances by placing them behind VPNs, firewalls, or access gateways, and only allow trusted networks to communicate with them.
Apply WAF Rules: Deploy web application firewall signatures to detect and block suspicious WFS/WMS/WPS requests that may contain JXPath payloads or command injection attempts.
Monitor for Abnormal SDK/Process Activity: Watch for unusual network usage, hidden directories, or executables tied to SDK-like behavior that could indicate passive bandwidth monetization schemes.
Threat Detection & Response: Enable EDR/XDR solutions to detect post-exploitation persistence, hidden executables, or anomalous outbound connections to suspicious IPs or transfer.sh instances.
Harden Configurations: Disable unnecessary GeoServer services if not required, and limit administrative functions to secure, authenticated channels.
Incident Preparedness: Establish a response plan to quickly isolate affected servers, remove malicious payloads, and rotate credentials in the event of suspected compromise.
Link(s):
https://unit42.paloaltonetworks.com/attackers-sell-your-bandwidth-using-sdks/