data breaches

New Botnet Era: PolarEdge, GeoServer Exploits, and Gayfemboy Malware

Published

4 days ago

on

ORB-style relay networks, SDK-based bandwidth theft, and Mirai spin-offs fuel a new wave of silent monetization and stealthy ops

Excerpt (40–60 words)
Attackers are chaining a critical GeoServer RCE with novel monetization tactics and ORB-like botnets to quietly profit and persist. New research details SDK-based bandwidth resale on compromised GeoServer hosts, a ballooning PolarEdge ORB built on edge devices, and a resurfaced Mirai variant dubbed “Gayfemboy” hitting routers and gateways worldwide.

Cybercriminals are pushing beyond smash-and-grab botnets, stitching together stealth monetization and covert relay infrastructure: Unit 42 warns of GeoServer systems hijacked to run “passive-income” SDKs that sell victims’ bandwidth, while researchers say the PolarEdge botnet now resembles an Operational Relay Box (ORB) network across tens of thousands of edge devices. Meanwhile, Fortinet tracked a renewed global surge of the Mirai-based “Gayfemboy” malware exploiting SOHO and enterprise gear.

What’s New

  • GeoServer RCE monetized, not mined. A campaign exploits CVE-2024-36401 (CVSS 9.8) in OSGeo GeoServer/GeoTools to quietly deploy legitimate-looking SDKs and apps that resell the host’s bandwidth via residential-proxy services—no miner needed, minimal CPU, long dwell time. Unit 42 observed internet-wide probing since March 2025 and over 7,100 exposed GeoServers across 99 countries.
  • PolarEdge balloons into an ORB. Censys and prior Sekoia work describe PolarEdge, a TLS-backdoored botnet abusing Cisco/ASUS/QNAP/Synology and other edge devices since mid-2023. Recent tallies show ~40,000 active devices, heavily concentrated in South Korea and the U.S., behaving like an Operational Relay Box network rather than a typical DDoS herd.
  • ‘Gayfemboy’ returns with broader exploits. Fortinet details a Mirai-lineage campaign (“Gayfemboy”) adding fresh N-days against DrayTek, TP-Link, Raisecom and Cisco to regain footholds and stage DDoS capability, with targets spanning manufacturing, tech and media across multiple regions.

“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) … to gain passive income via network sharing or residential proxies.” — Unit 42, Palo Alto Networks. Unit 42

“ORBs are compromised exit nodes that forward traffic … while the device continues to operate normally, making detection … unlikely.” — Himaja Motheram, Censys. The Hacker News

“While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection.” — Vincent Li, Fortinet. Fortinet

“Defenders must treat exposed GeoServer and orphaned edge gear as high-risk egress points. Patch fast, kill default services, and watch for quiet bandwidth drains and high, odd-port TLS beacons—these are today’s telltales of ORB-style operations.” — El Mostafa Ouchen, cybersecurity author and analyst.

Technical Analysis

1) GeoServer CVE-2024-36401 attack chain

  • Vuln: Unsafe evaluation of property names as XPath (via GeoTools → Apache Commons JXPath) enables unauthenticated RCE across WFS/WMS/WPS request paths. Fixed in 2.22.6 / 2.23.6 / 2.24.4 / 2.25.2; workaround removes gt-complex-*.jar.
  • Observed TTPs (Unit 42):
    • Initial access: Crafted WFS/WMS payloads (e.g., GetPropertyValue) to execute Runtime.exec() on target.
    • Staging: Payloads fetched from attacker-hosted transfer.sh instances; executables written in Dart interact with legit bandwidth-sharing services.
    • Objective: Stealth monetization via residential proxy SDKs; minimal resource use, long persistence.

2) PolarEdge ORB characteristics

  • Initial footholds: N-days including CVE-2023-20118 on EoL Cisco RV routers; later broadened to ASUS/NAS/IP cameras, with a TLS backdoor (Mbed TLS/PolarSSL) deployed via FTP/scripted droppers (“q”, “t.tar”, “cipher_log”).
  • C2 & stealth: Backdoor listens on high, non-standard TCP ports (40k–50k); log cleanup and persistence; ~40,000 active nodes as of Aug. 2025.
  • Use case: Operational Relay Box—stable residential/ISP space used to proxy follow-on intrusions and mask origin.

3) ‘Gayfemboy’ Mirai variant

  • Exploits & targets: Recent activity against DrayTek, TP-Link, Raisecom, Cisco; multi-arch binaries (ARM/AArch64/MIPS/PPC/x86), anti-analysis (UPX header tweaks), watchdog/monitor/persistence, and DDoS modules over UDP/TCP/ICMP.

MITRE ATT&CK (selected)

  • Initial Access: Exploit Public-Facing App (T1190).
  • Execution: Command & Scripting Interpreter (T1059); Native API (T1106).
  • Persistence: Scheduled Task/Cron (T1053.003).
  • Defense Evasion: Modify system utilities / masquerade; Impair defenses (T1562).
  • Discovery: Query process/file system (T1082/T1083).
  • C2: Application layer over TLS/Web protocols (T1071.001).
  • Resource Development/Monetization: T1583.006 (Acquire network infrastructure / proxies), abuse of SDKs for bandwidth resale (campaign-specific).
    (Technique IDs mapped from ATT&CK Enterprise matrix; exact subtechniques may vary per host/device.)

Impact & Response

  • Who’s affected:
    • GeoServer operators (public-facing instances prior to patched versions).
    • ISPs/enterprises with legacy SOHO routers, NAS, IP cameras, VoIP phones and edge gateways running vulnerable firmware.
    • Sectors: Manufacturing, tech, construction, media/communications; global spread (notably South Korea, U.S., parts of Europe).
  • Actions taken / guidance:
    • Patch/mitigate GeoServer immediately to 2.22.6/2.23.6/2.24.4/2.25.2+; if constrained, remove gt-complex-*.jar (functional impact possible).
    • Hunt for SDK monetization artifacts (Dart executables, transfer.sh downloads, suspicious cron entries), anomalous egress/bandwidth spikes, and residential-proxy traffic.
    • Edge device triage: Disable WAN admin, block management ports, update firmware, rotate creds, and monitor for high random ports (40–50k) with TLS beacons tied to Mbed TLS backdoors.
  • Regulatory/Legal: Organizations running abused infrastructure risk AUP violations with ISPs, potential data-protection exposure if relayed traffic is linked to attacks, and supply-chain liability where SDKs were embedded without appropriate vetting.

Background

  • CVE-2024-36401 entered CISA KEV in July 2024 amid active exploitation; GeoServer issued multiple patch trains, plus a high-severity XXE (CVE-2025-30220) fix this June.
  • PolarEdge was first documented by Sekoia (Feb. 2025) and later by Censys (Aug. 2025), who framed it as an ORB-like relay for operational traffic, not mass scanning or coin mining.
  • Gayfemboy emerged publicly in 2024; Fortinet’s Aug. 22, 2025 analysis shows new exploits, architectures and anti-analysis techniques.

What’s Next

Expect more quiet monetization (bandwidth resale/SDK abuse) and relay-grade botnets that prioritize stealth over volume. Immediate priorities: patch GeoServer, inventory and segment edge gear, and add detections for ORB-style egress and odd-port TLS. Threat intel sharing between ISPs, cloud providers and enterprises will be key to disrupting these low-noise campaigns.

Sources: Unit 42 (Palo Alto Networks) – GeoServer CVE-2024-36401 exploitation and SDK monetization; NVD/GeoServer project advisories; The Hacker News (Aug. 23, 2025) overview on GeoServer, PolarEdge, and Gayfemboy.

Censys & ISMG – PolarEdge ORB scale (~40k devices), edge device exploitation, and ORB behavior; Sekoia early reporting (Feb. 2025); Fortinet FortiGuard Labs (Aug. 22, 2025) on Mirai “Gayfemboy” exploits, variants, and anti-analysis features.

Additional context from CVE records (2024–2025), CISA KEV entries, and prior research linking Redis cryptojacking and TLS backdoors in PolarEdge campaigns.

Related Topics:

Trending

Exit mobile version