Growing Cybercrime Campaigns Targeting Servers and IoT Devices
Cybersecurity experts are highlighting multiple ongoing campaigns where attackers exploit known security flaws, particularly in Redis servers, to conduct malicious activities. These include building IoT botnets, setting up residential proxies, and creating cryptocurrency mining infrastructures.
One major focus is CVE-2024-36401 (CVSS 9.8), a critical remote code execution vulnerability in OSGeo GeoServer GeoTools that has been actively abused since late 2024.
According to Palo Alto Networks Unit 42 researchers, cybercriminals use this flaw to deploy either legitimate SDKs or modified apps to secretly generate income through network sharing and residential proxies. This strategy mirrors monetization methods used by some legitimate developers who integrate SDKs instead of displaying ads. The difference is that attackers abuse this technique to covertly profit from victims’ internet bandwidth.
Stealthy Monetization via GeoServer Exploits
Unit 42 reports that since March 2025, attackers have been scanning internet-exposed GeoServer instances and dropping custom executables from adversary-controlled servers. These payloads are hosted on private file-sharing services like transfer.sh instead of traditional HTTP servers.
The executables, written in Dart, are lightweight and consume minimal resources. Their goal is to avoid detection while silently using victims’ internet connections for passive income services. Once executed, the software runs in the background and quietly shares bandwidth without the victim’s knowledge, creating an ongoing revenue stream for attackers.
Telemetry shows more than 7,100 publicly exposed GeoServer instances across 99 countries, with the largest numbers in China, the United States, Germany, Great Britain, and Singapore. Researchers warn that this reflects a shift toward long-term, stealth-based monetization instead of aggressive exploitation.
PolarEdge IoT Botnet and Operational Relay Box (ORB) Networks
Meanwhile, security firm Censys revealed details about PolarEdge, a large-scale IoT botnet that uses enterprise firewalls, routers, IP cameras, and VoIP phones. The botnet installs a custom TLS backdoor (based on Mbed TLS) that enables encrypted communication, log cleanup, and dynamic infrastructure updates.
PolarEdge has infected nearly 40,000 active devices since June 2023, mostly in South Korea, the U.S., Hong Kong, Sweden, and Canada. Researchers note that it functions like an Operational Relay Box (ORB) network, where compromised devices silently forward traffic on behalf of threat actors while continuing their normal operations. This makes detection by users or ISPs far less likely.
The Rise of the “Gayfemboy” Botnet Variant
Recent attacks have also exploited vulnerabilities in products from DrayTek, TP-Link, Raisecom, and Cisco, leading to the deployment of a Mirai-based botnet variant nicknamed gayfemboy.
Fortinet researchers explain that this campaign spans countries including Brazil, Mexico, the U.S., Germany, France, Switzerland, Israel, and Vietnam, targeting industries like manufacturing, construction, technology, and media.
The malware supports multiple architectures (ARM, AArch64, MIPS R3000, PowerPC, Intel 80386) and features four main modules:
- Monitor – tracks processes, maintains persistence, and evades sandbox detection
- Watchdog – binds to UDP port 47272
- Attacker – launches DDoS attacks (UDP, TCP, ICMP) and maintains backdoor access
- Killer – terminates itself when ordered or if sandbox manipulation is detected
Security researcher Vincent Li notes that while gayfemboy inherits from Mirai, it has evolved with new evasion and persistence mechanisms, making it more advanced and harder to detect.
Redis Servers Under Attack for Cryptojacking
In addition, a group known as TA-NATALSTATUS is targeting exposed Redis servers for cryptojacking operations. Attackers scan port 6379 for unauthenticated Redis servers, then issue legitimate commands like CONFIG, SET, and SAVE to create malicious cron jobs.
These cron jobs disable SELinux, block external Redis connections (to lock out rival attackers), and kill competing miners such as Kinsing. They also install scanning tools like masscan to identify other vulnerable servers and achieve persistence with hourly jobs.
CloudSEK researchers note that this campaign builds on earlier Redis-targeted operations identified in 2020, now enhanced with rootkit-like features. Attackers rename system binaries (e.g., ps, top, curl, wget) to evade detection and trick administrators into missing malicious processes.
Final Takeaway
These campaigns highlight how cybercrime is evolving from brute-force exploitation to stealthy, persistent monetization strategies. From GeoServer exploits and IoT botnets to Redis cryptojacking, attackers are diversifying their methods while focusing on sustainability and evasion, making detection and response increasingly difficult.
