Cybersecurity experts are raising awareness about various campaigns that exploit known security vulnerabilities to target Redis servers for malicious purposes. These activities include using compromised devices for IoT botnets, residential proxies, and cryptocurrency mining operations.
One of the attacks involves exploiting the CVE-2024-36401 vulnerability, which impacts OSGeo GeoServer GeoTools and allows for remote code execution. Attackers have been utilizing this vulnerability since late last year to deploy SDKs or modified apps for passive income through network sharing or residential proxies.
According to researchers at Palo Alto Networks Unit 42, the attackers have been targeting exposed GeoServer instances since early March 2025, delivering customized executables via a private file-sharing server. These executables, written in Dart, are designed to discreetly utilize victims’ internet bandwidth for activities like bandwidth sharing.
This method allows developers to receive payments for integrating the feature, while cybercriminals profit from unused bandwidth without raising suspicion.
Another campaign involves a large-scale IoT botnet called PolarEdge, which targets enterprise-grade firewalls and consumer devices using known security vulnerabilities. The botnet utilizes a custom TLS backdoor for encrypted command-and-control, log cleanup, and dynamic infrastructure updates.
Furthermore, bad actors have been exploiting vulnerabilities in products from vendors like DrayTek, TP-Link, Raisecom, and Cisco to deploy a Mirai botnet variant known as gayfemboy. This campaign spans multiple countries and sectors, showcasing the attackers’ increasing sophistication.
Additionally, a threat actor known as TA-NATALSTATUS has been targeting Redis servers for cryptojacking activities, deploying cryptocurrency miners by exploiting unauthenticated servers and running malicious scripts to evade detection.
These evolving attack campaigns highlight the need for proactive defense strategies to combat modern malware and emerging cybersecurity threats.
