{ "id": "a002aa0b-312d-4ee4-b94e-9ab49ee95765", "created_at": "2026-04-06T00:14:36.54906Z", "updated_at": "2026-04-10T13:12:08.294243Z", "deleted_at": null, "sha1_hash": "2c721fda9600a26a6d02e79f93dd3d4637271433", "title": "Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4929731, "plain_text": "Threat Actors Exploit GeoServer Vulnerability CVE-2024-36401 |\r\nFortiGuard Labs\r\nPublished: 2024-09-05 · Archived: 2026-04-02 12:25:37 UTC\r\nAffected Platforms: GeoServer prior to versions 2.23.6, 2.24.4, and 2.25.2\r\nImpacted Users: Any organization\r\nImpact: Remote attackers gain control of the vulnerable systems\r\nSeverity Level: Critical\r\nGeoServer is an open-source software server written in Java that allows users to share and edit geospatial data. It is the\r\nreference implementation of the Open Geospatial Consortium (OGC) Web Feature Service (WFS) and Web Coverage\r\nService (WCS) standards. On July 1, the project maintainers released an advisory for the vulnerability CVE-2024-36401\r\n(CVSS score: 9.8). Multiple OGC request parameters allow remote code execution (RCE) by unauthenticated users through\r\nspecially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath\r\nexpressions. The shortcoming has been addressed in versions 2.23.6, 2.24.4, and 2.25.2.\r\nOn July 15, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw impacting\r\nOSGeo GeoServer GeoTools to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.\r\nFortiGuard Labs added the IPS signature the next day and has observed multiple campaigns targeting this vulnerability to\r\nspread malware. The botnet family and miner groups strike the attack immediately. We also collect sidewalk backdoors, and\r\nGOREVERSE tries to exploit this vulnerability and set a connection with a command and control server (C2) to execute\r\nmalicious actions.\r\nOverview\r\nIn this article, we will explore the details of the payload and malware.\r\nGOREVERSE\r\nFigure 1: Attack packet\r\nThe payload retrieves a script from “hxxp://181[.]214[.]58[.]14:61231/remote.sh.” The script file first verifies the victim’s\r\noperating system and architecture to download the appropriate file, which it saves as “download_file.” It accommodates\r\nvarious OS types, including Linux, FreeBSD, Illumos, NetBSD, OpenBSD, and Solaris. After execution, it deletes the file to\r\nremove traces of its activity.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 1 of 26\n\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 2 of 26\n\nFigure 2: Script file “remote.sh”\r\nThe ultimate executable is “GOREVERSE,\" packed with UPX. GOREVERSE is a malicious tool that often functions as a\r\nreverse proxy server, allowing attackers to illicitly access target systems or data.\r\nFigure 3: GOREVERSE\r\nOnce executed, the connection is made to a specific IP address (181[.]214[.]58[.]14) and port (18201), which is not a\r\nstandard SSH port.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 3 of 26\n\nFigure 4: GOREVERSE’s log\r\nFrom the exploitation packet of CVE-2024-36401, we observed threat actors attempting to access IT service providers in\r\nIndia, technology companies in the U.S., government entities in Belgium, and telecommunications companies in Thailand\r\nand Brazil.\r\nSideWalk\r\nFigure 5: Attack packet\r\nThe attacker fetches the script from “hxxp://1[.]download765[.]online/d.” This batch file facilitates the download of\r\nexecution files. All the ELF files on the remote server, known as the “SideWalk” malware, are designed to operate on ARM,\r\nMIPS, and X86 architectures. SideWalk is a sophisticated Linux backdoor malware also often linked with the hacking group\r\nAPT41.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 4 of 26\n\nFigure 6: Script file “d”\r\nFirst, SideWalk creates a folder named with a randomly generated string in the TMP directory. It then decodes two library\r\nfiles, libc.so.0 and ld-uClibc.so.1, along with the next-stage payload using the XOR key 0xCC. These decoded files are then\r\nstored in the previously created folder in the TMP path.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 5 of 26\n\nFigure 7: Creating the folder and files\r\nFigure 8: XOR decoded with 0xCC\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 6 of 26\n\nFigure 9: Saved decoded files\r\nThen, it also uses XOR to decode the string data using the key 0x89.\r\nFigure 10: XOR decoded with 0x89\r\nIt then executes the next stage payload, “ych7s5vvbb669ab8a.” It has three main functions:\r\n1. Decrypt configuration: The configuration is decrypted using the ChaCha20 algorithm. The binary input contains a 16-\r\nbyte MD5 hash, a 12-byte nonce for ChaCha20 decryption, and a 4-byte section indicating the length of the ciphertext,\r\nfollowed by the actual ciphertext. Based on the assembly code, the decryption key is hard-coded as\r\n“W9gNRmdFjxwKQosBYhkYbukO2ejZev4m,” and the decryption process runs 15 rounds (0xF). After successful\r\ndecryption, the extracted C2 is secure[.]systemupdatecdn[.]de (47[.]253[.]46[.]11), listening on port 80, with the mutex\r\nname “hfdmzbtu.”\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 7 of 26\n\nFigure 11: Decrypted configuration with ChaCha20\r\nFigure 12: Encrypted binary\r\nFigure 13: Decrypted configuration\r\n2. Establish C2 communication: Communication with the C2 server is established using an encrypted session, also based\r\non the ChaCha20 algorithm. The packet structure comprises a 4-byte section representing the packet length, a 12-byte nonce\r\nfor ChaCha20 decryption, 20 bytes of message metadata, and the final ciphertext. The initial exchange includes keys (v-key\r\nand s-key) for subsequent message encryption. In early packets, the original key,\r\n“W9gNRmdFjxwKQosBYhkYbukO2ejZev4m,” decrypts the message metadata, while the exchanged keys (v-key and s-key) decrypt the ciphertext. In packet 5, the victim’s information (computer name, operating system, and system time) is\r\ntransmitted.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 8 of 26\n\nFigure 14: Packet capture of the C2 connection\r\nFigure 15: C2 communication\r\n3. Execute the command issued by C2: In this attack scenario, we find a Plugin named Fast Reverse Proxy (FRP.) Fast\r\nReverse Proxy (FRP) is a legitimate and widely-used tool that complicates the detection of malicious network traffic by\r\nblending it with normal traffic, thereby enhancing the stealthiness of cyberattacks. Because it is open source, this tool has\r\nbeen leveraged in the past by several threat actors, such as Magic Hound, Fox Kitten, and Volt Typhoon. Using FRP,\r\nattackers create an encrypted tunnel from an internally compromised machine to an external server under their control. This\r\nmethod enables them to maintain a foothold within compromised environments, exfiltrate sensitive data, deploy further\r\nmalicious payloads, or execute other operations. In this attack case, SideWalk also downloads a customized configuration\r\nfile that directs the connection to a remote server (47[.]253[.]83[.]86) via port 443, further enhancing the attacker's control\r\nand persistence.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 9 of 26\n\nFigure 16: FRP's configuration\r\nFigure 17: Packet capture of FRP\r\nAnalysis of the script download URL's telemetry reveals a concentrated pattern of infections. The primary targets appear to\r\nbe distributed across three main regions: South America, Europe, and Asia. This geographical spread suggests a\r\nsophisticated and far-reaching attack campaign, potentially exploiting vulnerabilities common to these diverse markets or\r\ntargeting specific industries prevalent in these areas.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 10 of 26\n\nFigure 18: Telemetry\r\nMirai Variant - JenX\r\nFigure 19: Attack packet\r\nThis script downloads and executes a file named “sky” from a specified URL, “hxxp://188[.]214[.]27[.]50:4782. “ It\r\nchanges its permissions to make it executable, runs it with the parameter “geo,” and then deletes the file.\r\nFigure 20: XOR decoded function\r\nThe configuration data is extracted by XORing the file contents with 0x3A. This enabled us to find information like\r\n“bots[.]gxz[.]me,” which is the C2 server the malware attempts to connect to.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 11 of 26\n\nFigure 21: Decoded configuration data\r\nWhen executing the malware, a string shows up.\r\nFigure 22: Execution message\r\nThis malware has a credential list for brute-force attacks and a hard-coded payload related to the Huawei router vulnerability\r\nCVE-2017-17215. The payload attempts to download malware from 59[.]59[.]59[.]59.\r\nFigure 23: Hard-coded payload\r\nCondi\r\nThe attacker first terminates several processes (mpsl, mipsel, bash.mpsl, mips, x86_64, x86), then downloads and executes\r\nmultiple bot binaries for different CPU architectures (such as ARM, MIPS, PPC, X86, M68K, SH4, and MPSL) from a\r\nremote server, “hxxp://209[.]146[.]124[.]181:8030.” The binaries are fetched using wget, saved in the /tmp directory, made\r\nexecutable (chmod 777), and executed.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 12 of 26\n\nFigure 24: Attack packet\r\nThe following section uses “bot.arm7” as an example. The malware can be recognized by the specified string “condi.”\r\nFigure 25: Significant string\r\nExecuting the malware sends numerous DNS queries to “trcpay[.]xyz.”\r\nFigure 26: Continually connecting to the C2 server\r\nThe Condi botnet first tries to resolve the C2 server address and its function. It then establishes a connection with the C2\r\nserver and waits to parse the command. The malware has numerous DDoS attack methods, such as TCP flooding, UDP\r\nflooding, and a VSE DDoS attack.\r\nIn tracing the connection back to the remote server, “hxxp://209[.]146[.]124[.]181:8030,” we found that it was built as an\r\nHFS (HTTP File Server) and that two malicious tools—“Linux2.4” (another botnet) and “taskhost.exe” (the agent tool)—are\r\nlocated in the server.\r\nThe botnet “Linux2.4” not only has different methods that can trigger a DDoS attack but can also act as a backdoor agent.\r\nThe tool first connects to a server, which is the same as the remote server “209[.]146[.]124[.]181.” It then gathers the host\r\ninformation. Later, it waits for the command to either conduct a remote command execution or trigger a DDoS attack.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 13 of 26\n\nFigure 27: DDoS attack methods\r\nThe Backdoor malware “taskhost.exe” is designed especially for Windows. It creates a service named “9jzf5” for persistence\r\nand then creates different process types to retrieve information from attackers lurking in the host.\r\nFigure 28: Creating a service with the name “9jzf5”\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 14 of 26\n\nFigure 29: Command execution\r\nCoinMiner\r\nWe found four types of incident coin miners that can be delivered to victim hosts, as shown in the following details.\r\n[1]\r\nFigure 30: Attack packet\r\nThe attacker downloads a script from a remote URL “hxxp://oss[.]17ww[.]vip/21929e87-85ff-4e98-a837-\r\nae0079c9c860[.]txt/test.sh” and saves it as script.sh in the temp folder. The payload within the incident packets then\r\nmodifies and executes the script to achieve various purposes.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 15 of 26\n\nFigure 31: Script file “test.sh”\r\nThe script first gathers host information, such as the location of Aegis, the distribution version of Linux. Afterward, it\r\nattempts to uninstall different cloud platforms, like Tencent Cloud, Oracle, Kingsoft Cloud, JD Cloud, and Ali Cloud, to\r\nevade monitoring agents from those cloud services. A noteworthy point is that the comments in the script are written in\r\nsimplified Chinese, indicating that the miner campaign/author may be affiliated with a Chinese group. While finishing these\r\nuninstalls, the script kills some security defense mechanisms processes and checks whether the current user has the root\r\nprivilege needed to uninstall those mechanisms. If everything executes successfully, the script downloads the coin miner and\r\ncreates another script for persistence.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 16 of 26\n\nFigure 32: Download and persistence within “test.sh”\r\nThe coin miner, named “sshd,” wrote the configuration within itself. The miner points to two target pools:\r\n“sdfasdfsf[.]9527527[.]xyz:3333” and “gsdasdfadfs[.]9527527[.]xyz:3333.”\r\nFigure 33: Coin miner configuration\r\n[2]\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 17 of 26\n\nFigure 34: Attack packet\r\nAnother type of coin miner attack begins with the Base64-encoded command. It intends to download “linux.sh” from\r\n“hxxp://repositorylinux.com.” The comment in “linux.sh” is written in Sundanese, an Indonesian language.\r\nFigure 35: Script file “linux.sh”\r\nThe script downloads two files: a coin miner named “linuxsys“ and a related configuration file named “config.json.” It\r\ndownloads these through an AWS (Amazon Web Service) cloud platform service the attacker holds.\r\nFigure 36: Config file “config.json”\r\nThe coin miner sets the pool URL “pool[.]supportxmr[.]com:80” with credentials using “config.json.” The miner itself is\r\nXMRig, which can be recognized through its data.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 18 of 26\n\nFigure 37: Coin miner “linuxsys”\r\n[3]\r\nFigure 38: Attack packet\r\nThe action sent via four packets is to download “/tmp/MmkfszDi” from the remote server\r\n“hxxp://95[.]85[.]93[.]196:80/asdfakjg.sh,” make it executable, and then run it. The script downloads a coin miner like the\r\nothers mentioned before. It also removes a list of files within “/tmp,” “/var,” \"/usr,\" and “/opt.”\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 19 of 26\n\nFigure 39: Script file “asdfakjg.sh”\r\nThe coin miner named “h4” is similar to the other two types mentioned. It is XMRig as well and embeds its configuration\r\nwithin the binary file. The miner sets the pool URL as “asdfghjk[.]youdontcare[.]com:81”\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 20 of 26\n\nFigure 40: Configuration data embedded in “h4”\r\n[4]\r\nFigure 41: Attack packet\r\nThe last type of coin miner incident command is also encoded with base64. It downloads “cron.sh” from\r\n“112[.]133[.]194[.]254.” This fraudulent site mimics the webpage of the Institute of Chartered Accountants of India (ICAI).\r\nThe site is currently removed.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 21 of 26\n\nFigure 42: Fraudulent site\r\n“cron.sh” uses the job scheduler on the Unix-like operating system “cron,” as its name indicates. The script schedules jobs\r\nfor things like downloading coin miner-related scripts and setting the scripts into “crontab.” It first downloads the script\r\nnamed “check.sh” from the same source IP “112[.]133[.]194[.]254” and executes the script.\r\nFigure 43: Script file “cron.sh”\r\n“check.sh” first creates the necessary directories and confirms that the victim host hasn’t been infected. Once the script finds\r\nthat the victim host is the first to be infected, it downloads “config.sh” from the attacker’s IP “112[.]133[.]194[.]254” and\r\nthe XMRig coin miner from the developer platform “Github.”\r\nFigure 44: Script file “check.sh”\r\nThrough “config.sh,” we learned that the attacker set the pool on SupportXMR “pool[.]supportxmr[.]com:3333”\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 22 of 26\n\nFigure 45: Script File “config.sh”\r\nConclusion\r\nWhile GeoServer’s open-source nature offers flexibility and customization, it also necessitates vigilant security practices to\r\naddress its vulnerabilities. The developer patched the vulnerability with the function “JXPathUtils.newSafeContext” instead\r\nof the original vulnerable one to evaluate the XPath expression safety. However, implementing comprehensive cybersecurity\r\nmeasures—such as regularly updating software, employing threat detection tools, and enforcing strict access controls—can\r\nsignificantly mitigate these risks. By proactively addressing these threats, organizations can secure their environments and\r\nensure the protection and reliability of these data infrastructures.\r\nFortinet Protection\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nAdware/Miner\r\nBASH/Agent.CPC!tr\r\nBASH/Miner.VZ!tr\r\nData/Miner.2F82!tr\r\nData/Miner.3792!tr\r\nELF/Agent.CPN!tr\r\nELF/Agent.CPN.TR\r\nELF/BitCoinMiner.HF!tr\r\nELF/Flooder.B!tr\r\nLinux/CoinMiner.ACZ!tr\r\nLinux/Mirai.CEA!tr\r\nLinux/Mirai.CJS!tr\r\nLinux/Mirai.IZ1H9!tr\r\nLinux/SideWalk.Q!tr\r\nRiskware/CoinMiner\r\nW32/ServStart.IO!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine\r\nis part of each of these solutions. As a result, customers who have these products with up-to-date protections are protected.\r\nThe FortiGuard Web Filtering Service blocks the C2 servers and downloads URLs.\r\nFortiGuard Labs provides IPS signatures against attacks exploiting the following vulnerability:\r\nCVE-2024-36401: GeoServer.OGC.Eval.Remote.Code.Execution\r\nWe also suggest that organizations go through Fortinet’s free training module: Fortinet Certified Fundamentals (FCF) in\r\nCybersecurity. This module is designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nFortiGuard IP Reputation and Anti-Botnet Security Service proactively block these attacks by aggregating malicious source\r\nIP data from the Fortinet distributed network of threat sensors, CERTs, MITRE, cooperative competitors, and other global\r\nsources that collaborate to provide up-to-date threat intelligence about hostile sources.\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 23 of 26\n\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard\r\nIncident Response Team.\r\nIoC\r\nURL\r\nhxxp://181[.]214[.]58[.]14:61231/remote.sh\r\nhxxp://1[.]download765[.]online/d\r\nhxxp://188[.]214[.]27[.]50:4782/sky\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]arm\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]arm5\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]arm6\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]arm7\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]m68k\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]mips\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]mpsl\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]ppc\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]sh4\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]x86\r\nhxxp://209[.]146[.]124[.]181:8030/bot[.]x86_64\r\nhxxp://209[.]146[.]124[.]181:8030/JrLinux\r\nhxxp://209[.]146[.]124[.]181:8030/Linux2[.]4\r\nhxxp://209[.]146[.]124[.]181:8030/Linux2[.]6\r\nhxxp://209[.]146[.]124[.]181:8030/taskhost[.]exe\r\nhxxp://oss[.]17ww[.]vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/test.sh\r\nhxxp://oss[.]17ww[.]vip/21929e87-85ff-4e98-a837-ae0079c9c860.txt/sshd\r\nhxxp://ec2-54-191-168-81[.]us-west-2.compute.amazonaws.com/css/linuxsys\r\nhxxp://ec2-54-191-168-81[.]us-west-2.compute.amazonaws.com/css/config.json\r\nhxxp://ec2-13-250-11-113[.]ap-southeast-1.compute.amazonaws.com/css/linuxsys\r\nhxxp://ec2-13-250-11-113[.]ap-southeast-1.compute.amazonaws.com/css/config.json\r\nhxxp://95[.]85[.]93[.]196:80/h4\r\nhxxp://112[.]133[.]194[.]254/cron.sh\r\nhxxp://112[.]133[.]194[.]254/check.sh\r\nhxxp://112[.]133[.]194[.]254/config.sh\r\nIP Address/Hostname\r\n181[.]214[.]58[.]14:18201\r\n47[.]253[.]46[.]11\r\nsecure[.]systemupdatecdn[.]de\r\n188[.]214[.]27[.]50\r\nbots[.]gxz[.]me\r\n209[.]146[.]124[.]181\r\nsdfasdfsf[.]9527527[.]xyz:3333\r\ngsdasdfadfs[.]9527527[.]xyz:3333\r\npool[.]supportxmr[.]com:80\r\n95[.]85[.]93[.]196:4443\r\npool[.]supportxmr[.]com:3333\r\n59[.]59[.]59[.]59\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 24 of 26\n\nWallet\r\n49VQVgmN9vYccj2tEgD7qgJPbLiGQcQ4uJxTRkTJUCZXRruR7HFD7keebLdYj6Bf5xZKhFKFANFxZhj3BCmRT9pe4NG325b+5\r\n41qqpRxT7ocGsbZPeU9JcbfRiHLy3j8DWhdKzv8Yr2VS1QPcFLmfHVJFWEBDfWaB3N6HxuVuAb73nES36bN2rhevGnZ12nA\r\nSHA256Hash\r\nb80e9466b7bb42959c29546b8c052e67fcaa0f591857617457d5d28348bd8860\r\nd9e8b390f8e2e8a6c2308c723a6a812f59c055ecad4e9098a120e5c4c65d3905\r\n79c9532fb6ef2742e207498bfe2b2ee09aa9773376ac0e56085083aab17b98be\r\n5cc7e35254347f705422800bfb7fe29c6002e2537f6bac0ff996a720dfb5f48e\r\nfabbb4611fb9df5d8f208d9353be0b73c3942fe78903da096cbfe2f47c9e3566\r\n1588bee7db42495ba7e6e34d217e6b82c5ab93f27c1eea68435cbb9e7792f9be\r\ne8b0f5a952f07c83c4d67809ac0715c7164d518323d8038542e84aab8456db43\r\n3c73ebc7a85accc65c9ee5bf151f70b990e5a12f27a843ca21c0f9d9a10fd17d\r\n9bf642a7e14f0a0b0a784f00a0d1cf590ac60ae5ae378d29d435519f4d9dbf2b\r\n994b924b00fb56e12a6a987c4cdf65dd05a221c47b5fc0a7a2babf1f05c2ed38\r\nc226744b40e8f5d2cf95b4fb2537ff00e222ecc2d24c5096ecfadb14b4a47f97\r\n96cf27a66b629d2b19708c6887441a8422b40dc0e9e7c5c0f2212efe0b6b3323\r\nb3a015b6650ec9800fa878ff9a5f732013806c8dcb0e7069515dae0dd380fda4\r\n50b7e615b8cdc45486b6ed1c1c081c7a92c262edb84318fa864531dcab753f82\r\nf7b97677b6387c1f02d429e98868bf6973a8dec14dfee2516a27e885d6b1c780\r\nb60d7fb66caf103a04e81fb89dbb05111b4b0ef513f3769c8e0a8106ab01a075\r\na9e7b5284182d3881c865895ee6e0fb03273eec3dcbf4bfc82dd2b069245beae\r\nc3101b0b74d76a95ba91b6cc4945657e928d2dac8fdf926ffbf09031d46e9186\r\nb67ab1b9b66fdc2c4ed1689698a54a347c2bdd6eaff87039ae337675243670d8\r\n83fb74bb852bbd722e6ebc4e249e49cb4bb4194493a26d62d4bfcdfca2998412\r\n53994a35a57970dea48e97009f65ad045b69a83234b771b106446211376a6866\r\nf3d3572ef96c9c59e137425ca6804e1b86b7f8b57210a3724d567017460774de\r\n1af8e068aa7377f0055640af581a412aa9d7288c912a93dd0d739657af0079fb\r\n1abd8cbd64d1d9c8d56b7ea6273ed62e1471f300fabc67dbc2416a48e2faf33d\r\naddccd0ecb643251af2e79e878b19a8e9c8f1c87302e732ef057cdba821f4b30\r\nd9dfe98b5fba09e17dbe29dfeb8deb7d777d4a3b0d670914691ed360b916116a\r\nd9dfe98b5fba09e17dbe29dfeb8deb7d777d4a3b0d670914691ed360b916116a\r\n8d3440301bc94ed83cdafb69e4b0166d3a0020eb4f38e9fa159c2f13f14b2d29\r\na13a979f4ca57450528bb6cd7aa2bf47d2eea211053eb1a14b8c4a44fd661831\r\n7194ec436231c2a383ffc7c75eef4f5b5a952c18fa176ffd0830667835a80533\r\n20d97f144bf7b1662a13ac537715126b9b2f68eff46a4a09234743ae236f0177\r\nd72e4cabffc84a31e50caf827b6e579cf6e4932e5cbc528a65a68728ba56b65b\r\n5abf8a52d45f6d5970fab8d1dfd05b6ee7b0ef57df935f45761b89d3522fa592\r\n24e80d66759b1c7a075aeb4fe0321eb6ac49eaf509089fd2882874ec6228d085\r\n7355cc094f2e43e4dd7b8b698b559abe6d2d74cc48f5cfa464424314c6e41944\r\n689504850db842365cd47eadd2d3d42888b9261e7d9e884f14bb7deeb21bb61d\r\n762707f2c7fc4731c4c46ecb3364a4e7ace8984aa899cc57c624b342d3efa03f\r\n4234eb5eb42fbe44d7163c4388d263b3fe57fb1e56bf56152ac352c3fd0beec0\r\n373734730d8414d32883ebbd105c7a7c58397df995759c4e0bd367f2523d302d\r\nd1d25730122f8bc125251832c6af03aedd705dfcc2d9eebcce4371c54bb84b39\r\n3dce929b1c091abac3342788624f1ffa4be5d603eec4d7ab39b604694ac05d22\r\neb2f95bb2059a3690259f2c0d7537b3cad858869650b9c220d2d81e3720b6dde\r\n2e0e324e36fafe71f5d2bcf521e6415dafbc3f1173ad77f1f3daa77bb581da5f\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 25 of 26\n\n5d9eb83b4a6f2d49580e1658263eb972be336a2cad15a84561d17d59391191b0\r\n75d7b6264f5a574bc75400c9d57282e9344d8b2df576ad2a36ab7e2575d5a395\r\ne5e5122ba6d0b06f7ed8e57ab5324ae730970c0d23913f27b9ecc9094182c03d\r\n275302d03a4378f1b852e6d783d3181c2899ae0e9ebad4c7160221320863c425\r\n653a4ad0b00e59a01142f899b6aac9712cfb25063b5b9b2e7e3171f7f3a897ed\r\n8fad39ec0671d9b401712ddbc1f24942b2ee2f4865b6ffcd2f019036e03cbade\r\nc8b76b63644d2946fd0af72b48fa59f07a78e1f84464cff5e9b1ca4110e6113e\r\n3928c5874249cc71b2d88e5c0c00989ac394238747bb7638897fc210531b4aab\r\n7d052cffcf97b303d11c5d35fa9bc860155601cdea21e38447401571b35d2db1\r\nc81d4770e812ddc883ead8ff41fd2e5a7d5bc8056521219ccf8784219d1bd819\r\nbf56711bbe0b1dac3b1481d36e7ae2f312da5f404c554c2c45a01fe591b8464d\r\n5c9722d3dc72dbeafec00256887867bad46d347a5fc797d57fc9e0fd317035d3\r\n3369ddc627282eb38346e1a56118026dd3ccdb29b18ffff88ecf3663296ee6da\r\nSource: https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nhttps://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401\r\nPage 26 of 26\n\n https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401 \nFigure 7: Creating the folder and files \nFigure 8: XOR decoded with 0xCC \n Page 6 of 26", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fortinet.com/blog/threat-research/threat-actors-exploit-geoserver-vulnerability-cve-2024-36401" ], "report_names": [ "threat-actors-exploit-geoserver-vulnerability-cve-2024-36401" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "2c348851-5036-406b-b2d1-1ca47cfc7523", "created_at": "2022-10-25T16:07:24.039861Z", "updated_at": "2026-04-10T02:00:04.847961Z", "deleted_at": null, "main_name": "Parisite", "aliases": [ "Cobalt Foxglove", "Fox Kitten", "G0117", "Lemon Sandstorm", "Parisite", "Pioneer Kitten", "Rubidium", "UNC757" ], "source_name": "ETDA:Parisite", "tools": [ "Cobalt", "FRP", "Fast Reverse Proxy", "Invoke the Hash", "JuicyPotato", "Ngrok", "POWSSHNET", "Pay2Key", "Plink", "Port.exe", "PuTTY Link", "SSHMinion", "STSRCheck", "Serveo" ], "source_id": "ETDA", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99c7aace-96b1-445b-87e7-d8bdd01d5e03", "created_at": "2025-08-07T02:03:24.746965Z", "updated_at": "2026-04-10T02:00:03.640335Z", "deleted_at": null, "main_name": "COBALT ILLUSION", "aliases": [ "APT35 ", "APT42 ", "Agent Serpens Palo Alto", "Charming Kitten ", "CharmingCypress ", "Educated Manticore Checkpoint", "ITG18 ", "Magic Hound ", "Mint Sandstorm sub-group ", "NewsBeef ", "Newscaster ", "PHOSPHORUS sub-group ", "TA453 ", "UNC788 ", "Yellow Garuda " ], "source_name": "Secureworks:COBALT ILLUSION", "tools": [ "Browser Exploitation Framework (BeEF)", "MagicHound Toolset", "PupyRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "e698860d-57e8-4780-b7c3-41e5a8314ec0", "created_at": "2022-10-25T15:50:23.287929Z", "updated_at": "2026-04-10T02:00:05.329769Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "APT41", "Wicked Panda", "Brass Typhoon", "BARIUM" ], "source_name": "MITRE:APT41", "tools": [ "ASPXSpy", "BITSAdmin", "PlugX", "Impacket", "gh0st RAT", "netstat", "PowerSploit", "ZxShell", "KEYPLUG", "LightSpy", "ipconfig", "sqlmap", "China Chopper", "ShadowPad", "MESSAGETAP", "Mimikatz", "certutil", "njRAT", "Cobalt Strike", "pwdump", "BLACKCOFFEE", "MOPSLED", "ROCKBOOT", "dsquery", "Winnti for Linux", "DUSTTRAP", "Derusbi", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "6e3ba400-aee3-4ef3-8fbc-ec07fdbee46c", "created_at": "2025-08-07T02:03:24.731268Z", "updated_at": "2026-04-10T02:00:03.651425Z", "deleted_at": null, "main_name": "COBALT FOXGLOVE", "aliases": [ "Fox Kitten ", "Lemon Sandstorm ", "Parisite ", "Pioneer Kitten ", "RUBIDIUM ", "UNC757 " ], "source_name": "Secureworks:COBALT FOXGLOVE", "tools": [ "Chisel", "FRP (Fast Reverse Proxy)", "Mimikatz", "Ngrok", "POWSSHNET", "STSRCheck", "Servo", "n3tw0rm ransomware", "pay2key ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "871acc40-6cbf-4c81-8b40-7f783616afbc", "created_at": "2023-01-06T13:46:39.156237Z", "updated_at": "2026-04-10T02:00:03.232876Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "UNC757", "Lemon Sandstorm", "RUBIDIUM", "PIONEER KITTEN", "PARISITE" ], "source_name": "MISPGALAXY:Fox Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d070e12b-e1ce-4d8d-b5e3-bc71960cc0cb", "created_at": "2022-10-25T15:50:23.676504Z", "updated_at": "2026-04-10T02:00:05.260839Z", "deleted_at": null, "main_name": "Fox Kitten", "aliases": [ "Fox Kitten", "UNC757", "Parisite", "Pioneer Kitten", "RUBIDIUM", "Lemon Sandstorm" ], "source_name": "MITRE:Fox Kitten", "tools": [ "China Chopper", "Pay2Key", "ngrok", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434476, "ts_updated_at": 1775826728, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2c721fda9600a26a6d02e79f93dd3d4637271433.pdf", "text": "https://archive.orkl.eu/2c721fda9600a26a6d02e79f93dd3d4637271433.txt", "img": "https://archive.orkl.eu/2c721fda9600a26a6d02e79f93dd3d4637271433.jpg" } }