{
	"id": "80ba1b3a-cad2-40bf-a123-24dc919f0e48",
	"created_at": "2026-04-06T02:13:07.188707Z",
	"updated_at": "2026-04-10T03:30:57.882032Z",
	"deleted_at": null,
	"sha1_hash": "e78fa5bff9c6831544f19992cc3f1c632b7e5866",
	"title": "Proxyjacking has Entered the Chat",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1644626,
	"plain_text": "Proxyjacking has Entered the Chat\r\nBy Crystal Morin\r\nPublished: 2023-04-04 · Archived: 2026-04-06 01:54:41 UTC\r\nPublished:\r\nApril 4, 2023\r\nTable of contents\r\nfalco feeds by sysdig\r\nFalco Feeds extends the power of Falco by giving open source-focused companies\r\naccess to expert-written rules that are continuously updated as new threats are\r\ndiscovered.\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 1 of 9\n\nlearn more\r\nDid you know that you can effortlessly make a small passive income by simply letting an application run on your\r\nhome computers and mobile phones? It lets others (who pay a fee to a proxy service provider) borrow your\r\nInternet Protocol (IP) address for things like watching a YouTube video that isn't available in their region,\r\nconducting unrestricted web scraping and surfing, or browsing dubious websites without attributing the activity to\r\ntheir own IP. Like all things, malicious actors can take advantage. In this situation, they can sell bandwidth on\r\nyour behalf – unbeknownst to you – to make as much as $10 per month for each compromised device, while\r\nexposing you to additional costs and risks.\r\nSysdig's Threat Research Team (TRT) has detected a new attack, dubbed proxyjacking, that leveraged the Log4j\r\nvulnerability for initial access. The attacker then sold the victim's IP addresses to proxyware services for profit.\r\nWhile Log4j attacks are common, the payload used in this case was rare. Instead of the typical cryptojacking or\r\nbackdoor payload, we witnessed the attacker installing an agent that turned the compromised account into a proxy\r\nserver, allowing the attacker to sell the IP to a proxyware service and collect the profit.\r\nWhat is proxyjacking?\r\nProxyjacking is a new phenomenon brought on by the growth and use of proxyware services in the last couple of\r\nyears. A proxyware service is a totally legitimate and nonmalicious application or software that you can install on\r\nyour internet-connected devices. When you run it, you share your internet bandwidth with others who pay to use\r\nyour IP address. These services, such as IPRoyal, Honeygain, Peer2Profit, and others, pay for each IP address you\r\nshare, based on the number of hours you run the application.\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 2 of 9\n\nThese services have been used in adware attacks previously reported by Cisco Talos Intelligence Group and\r\nAhnLab Security Emergency response Center (ASEC). Proxyware services enable users to make money by\r\nsharing their internet connection with others. As Cisco Talos explained in their blog post, attackers are\r\n\"leveraging these platforms to monetize the internet bandwidth of victims, similar to how malicious\r\ncryptocurrency mining attempts to monetize the CPU cycles of infected systems.\"\r\nIPRoyal defines itself as a global proxy network that claims \"100% ethically sourced IPs,\" presumably meaning\r\nthat they will not buy and sell IPs that may have been stolen or falsified through the use of virtual machines. We\r\ncan assume that this also means they have some sort of vetting process in place to ensure that nobody is getting\r\nproxyjacked. IPRoyal's proxy network includes IPs being shared via the proxyware service pawns.app. The Sysdig\r\nTRT found this ethics claim hard to believe based on the captured honeypot attack, and decided to put it and other\r\nproxyware services to the test to see if proxyjacking really could be a means of income for malicious actors.\r\nThe earning potential of proxyjacking\r\nOn a broad scale, this campaign could provide lucrative income for the attacker. According to the pawns.app profit\r\nscale, 24 hours of activity for one IP address will net $9.60 per month. While Pawns will conduct checks to ensure\r\nthat the user is not selling a cloud instance like EC2, Peer2Profit does not have the same restrictions.\r\nImage from pawns.app\r\nAs mentioned, the attacker obtained initial access via exploitation of a Log4j vulnerability. Millions of systems are\r\nstill running vulnerable versions of Log4j, and according to Censys, more than 23,000 of those are reachable from\r\nthe internet. Log4j is not the only attack vector for deploying proxyjacking malware, but this vulnerability alone\r\ncould theoretically provide more than $220,000 in profit per month. More conservatively, a modest compromise\r\nof 100 IPs will net a passive income of nearly $1,000 per month.\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 3 of 9\n\nImage from censys.io\r\nWhile Pawns and IPRoyal have restrictions regarding the types of IPs they will purchase and share, other\r\nproxyware services, such as Peer2Profit, do not. We found that the Pawns application does not function properly\r\non an EC2 or OVHCloud IP, as they restrict the client to IP addresses classified as residential. We believe Pawns is\r\nusing a service like ip2location[.]com to make the classification when a new agent attempts to register. This could\r\nbe benevolent, but it's more likely because residential IP addresses are considered more trustworthy (and\r\ndesirable) than cloud virtual private servers.\r\nThe Sysdig TRT did confirm that Peer2Profit will run on a server/data center IP, such as AWS EC2. This is\r\ndetailed in the FAQs on their website, as is a confirmation that their software also works on virtual machines.\r\nThey even provide a Docker container to enable effortless execution. The Peer2Profit agent has also been\r\ncompiled to run on ARM systems, and the company offers examples of running on systems like Raspberry Pi.\r\nSeveral of these proxyware services also market the availability of mobile proxy servers and have Android\r\napplications on the marketplace.\r\nCryptomining vs. proxyjacking\r\nCryptojacking is the unauthorized use of a computer or device to mine cryptocurrency. In its most common form,\r\nattackers install CPU-based miners in order to extract maximum value from compromised systems (which very\r\nrarely have graphics processing units [GPUs] attached, making the more common GPU-based miners obsolete).\r\nProxyjacking, as defined in this post, is a foil to cryptojacking, in that it mainly aims to make use of network\r\nresources, leaving a minimal CPU footprint.\r\nBoth cryptojacking and proxyjacking can net an attacker about the same amount of money monthly –\r\nproxyjacking might even be more profitable at current cryptoexchange rates and proxyware payouts. However,\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 4 of 9\n\nnearly every piece of monitoring software will have CPU usage as one of the first (and rightfully most important)\r\nmetrics. Proxyjacking's effect on the system is marginal: 1 GB of network traffic spread out over a month is tens\r\nof megabytes per day – very likely to go unnoticed.\r\nKnown attack vectors\r\nIn the proxyjacking attack that the Sysdig TRT discovered, an attacker targeted Kubernetes infrastructure,\r\nspecifically an unpatched Apache Solr service, in order to take control of the container and proceed with their\r\nactivities. Let's dig deeper into each step of the captured attack.\r\nInitial access (CVE-2021-44228) and execution\r\nThe attacker obtained initial access into a container exploiting the infamous Log4j vulnerability (CVE-2021-\r\n44228) present in an Apache Solr application. As we all know, there are a lot of public exploits for this\r\nvulnerability to remotely execute code inside the victim machine. The attacker executed the command below so\r\nthey could download a malicious script from the attacker command and control, and place it in the /tmp folder,\r\nin order to have privileges to perform the action.\r\nBelow is the script executed, along with the command executed by the attacker in the compromised pod.\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 5 of 9\n\nThe attacker's first execution was downloading an ELF file renamed /tmp/p32 , which was then executed with\r\nsome parameters, including the email address magyber1980@gmail[.]com and the associated password for their\r\npawns.app account.\r\nDuring analysis of the binary downloaded and executed in the reported malicious script, the Sysdig TRT\r\ncorrelated it to the command-line interface version of the IPRoyal Pawns application from GitHub, which uses the\r\nsame parameters in input.\r\nFrom this point on, the attacker reached the main goal of earning money from the compromised pod. Quite easy,\r\nisn't it?\r\nDefense evasion and persistence\r\nOnce the attacker ran the malicious binary and started to raise money, they executed commands to evade detection\r\nand achieve persistence.\r\nThey took care to clean the compromised pod by clearing the history and removing the file they dropped in the\r\ncontainers and the temp files. Below is a list of the files modified or deleted during the attack.\r\nFile Action\r\n/run/crond.pid Modified\r\n/proc/self/loginuid Modified\r\n/var/spool/cron/crontabs/tmp.WdWUdr Deleted\r\n/tmp/b New\r\n/tmp/tmpfeo2Ew4 Deleted\r\n/tmp/c New\r\n/var/spool/cron/crontabs/tmp.4YwEf2 Deleted\r\n/tmp/p32 New\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 6 of 9\n\n/var/spool/cron/crontabs/root New\r\n/run/crond.reboot Modified\r\nAfter covering their tracks, the attacker performed persistent actions inside the compromised pod. As often\r\nhappens, the attacker used crontab to schedule the download and execution command of the script previously\r\nmentioned. In this way, the command was executed every 10 minutes; if something happened or the process was\r\nkilled, it would automatically restart the execution.\r\nContainer supply chain\r\nAs we know, containers are a great way to easily ship and deploy code in our infrastructure. Attackers can also use\r\ncontainers to their advantage to deploy malicious code in compromised environments in order to earn money and\r\nachieve their goal.\r\nServices like DockerHub provide access to public open source image repositories, and each user can create their\r\nown private repositories to store personal images. As pointed out in our 2022 Threat Report, DockerHub is also\r\nused by attackers, hoping users will download and run those images on their infrastructure. The malware installed\r\ncan be anything from cryptominers to backdoors to tools that will automatically exfiltrate data.\r\nOne of the threats we saw in our proxyjacking research was the use of proxyware services inside container\r\nimages. These are some of the Dockerhub images we uncovered with either a large amount of downloads or\r\nobfuscated image names. This is not an extensive list, as additional images may be disguised.\r\nImage Name Downloads\r\nenwaiax/peer2profit \u003e500,000\r\nfazalfarhan01/peer2profit:latest \u003e10 million\r\npeer2profit/peer2profit_linux \u003e100,000\r\njujudna/peer2profit 3,700\r\ngqkkk/p2p 358\r\nenwaiax/phpcoin-miner 220\r\ncomputeofficial/pawnsapp 346\r\nImpact\r\nA proxyjacking attack may be underestimated as nuisance malware rather than a serious threat, as cryptomining\r\noften is. While this type of attack may not directly result in data destruction or intellectual property theft, both\r\ncould be an indirect result, as we reported in our SCARLETEEL analysis.\r\nA proxyjacking attack could negatively impact an organization in two ways:\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 7 of 9\n\nFinancial\r\nProxyjacking, much like cryptojacking, will incur financial costs on its victims. In the case of services running on\r\na cloud service provider (CSP), these financial costs could be metered. AWS, for example, charges based on the\r\namount of traffic that gets routers outbound over the internet. Proxyjacked IP traffic comes both inbound and\r\noutbound for every instance on which the agent is running. The agent will also consume CPU and memory, which\r\nwill further increase costs for the victim.\r\nBecause each CSP has a different billing method, it is important to understand how you might be affected in such\r\nan incident. While CSPs have been known to forgive charges incurred by malware, there is no guarantee that they\r\nwill continue this practice moving forward. This attack, especially if widespread throughout your infrastructure,\r\ncould result in a significant financial burden.\r\nReputation/Legal\r\nThere is no guarantee that if you knowingly or unknowingly sell your internet bandwidth to a proxyware service,\r\nit will not be used in malicious or illegal activities. An actor can just as easily purchase and use your shared\r\ninternet in an attack. Many malicious attackers use proxies to obfuscate their command and control activities and\r\nidentifying information. According to Vista Criminal Law, an IP address is often the starting point for an\r\ninvestigation, and the primary owner or user of the IP is usually not involved in the illegal activity. With the\r\nobfuscation provided by the proxyware service, the attack now appears to originate from your network; you and\r\nyour network are now potentially wrapped up in law enforcement investigations.\r\nConclusion\r\nThis is a low-effort and high-reward attack for threat actors, with the potential for far-reaching implications. The\r\nlist of proxyware services reported as being used for proxyjacking is small right now, but in due time, attackers\r\nwill find a way and defenders will uncover more nefarious activities. The Sysdig TRT recommends setting up\r\nbilling limits and alerts with your CSP to avoid receiving potentially shocking usage bills. You should also have\r\nthreat detection rules in place to receive alerts on any initial access and payload activity preceding the installation\r\nof a proxyware service application on your network.\r\n____\r\nIOCs\r\nIPs:\r\n185[.]224[.]128[.]251\r\n23[.]88[.]73[.]143\r\n51[.]81[.]155[.]182\r\nFilename MD5 Hash\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 8 of 9\n\np32 6927833415c4879728707574c0849bfc\r\nb f10861ea968770effbd61cda573b6ff8\r\nc f10861ea968770effbd61cda573b6ff8\r\nFor additional IoCs associated with this campaign, please visit our GitHub page.\r\nCloud Security\r\nKubernetes \u0026 Container Security\r\nThreat Research\r\nfeatured resources\r\nTest drive the right way to defend the cloudwith a security expert\r\nSource: https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nhttps://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/"
	],
	"report_names": [
		"proxyjacking-attackers-log4j-exploited"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c220fe19-ef23-4166-ac54-7a32c3ea75d7",
			"created_at": "2023-11-10T02:00:07.503009Z",
			"updated_at": "2026-04-10T02:00:03.437555Z",
			"deleted_at": null,
			"main_name": "SCARLETEEL",
			"aliases": [],
			"source_name": "MISPGALAXY:SCARLETEEL",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775441587,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e78fa5bff9c6831544f19992cc3f1c632b7e5866.pdf",
		"text": "https://archive.orkl.eu/e78fa5bff9c6831544f19992cc3f1c632b7e5866.txt",
		"img": "https://archive.orkl.eu/e78fa5bff9c6831544f19992cc3f1c632b7e5866.jpg"
	}
}