CoinMiner Attacks Exploiting GeoServer Vulnerability

Aug. 10, 2025, 9:39 p.m.

Description

A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerability to execute PowerShell commands, installing NetCat for remote access and XMRig for cryptocurrency mining. The attack process involves downloading malicious scripts, terminating competing miners, and establishing persistence through Cron jobs. The threat actors use pool.supportxmr.com for mining Monero coins and can potentially perform additional malicious activities using the installed NetCat.

External References

https://asec.ahnlab.com/en/88917
https://otx.alienvault.com/pulse/68962f0d60d5de6c3ecb055f
Tags
powershell
xmrig
coinminer
bash
mirai
netcat
remote code execution
condi
geoserver
monero
CVE-2024-36401
goreverse
2025-08-08
sidewalk

Date

  • Created: Aug. 8, 2025, 5:08 p.m.
  • Published: Aug. 8, 2025, 5:08 p.m.
  • Modified: Aug. 10, 2025, 9:39 p.m.

Indicators

  • 118ae6110a4b5708433ebd5809682e8c30f281f459a3b92b3e8ada5023eb6640
  • 063a65d2d36cae110d6d6c400956a125b9c35176d628a9a8f4d8e2133ec4d887
  • 3e59379f585ebf0becb6b4e06d0fbbf806de28a4bb256e837b4555f1b4245571
  • 182.218.82.14
Download all indicators here!

Attack Patterns

Additional Informations

  • Government