GeoServer exploits PolarEdge and Gayfemboy push cybercrime beyond traditional botnets

Researchers from Palo Alto Networks and others have reported a series of attacks that use GeoServer vulnerabilities, open Redis servers, and IoT devices to create new types of botnets, proxy networks, and crypto miners.

The attacks began by exploiting a critical vulnerability, CVE-2024-36401, in GeoServer GeoTools (CVSS 9.8), which allows remote code execution. The attackers deploy legitimate SDKs or modified applications that monetize victims’ traffic through resident proxy services. This approach appears to be a legitimate revenue model, so it often goes unnoticed. More than 7,100 open GeoServer instances in 99 countries have been identified.

1. In parallel, Censys described a new botnet PolarEdge, which includes up to 40,000 IoT devices – from corporate firewalls to routers and IP cameras. It functions as an Operational Relay Box (ORB), silently redirecting traffic without disrupting the basic functions of the devices. This allows cybercriminals to carry out attacks unnoticed.

2. Another campaign spreads a Mirai variant called gayfemboy, which infects equipment from DrayTek, TP-Link, Cisco and other vendors. It supports various architectures (ARM, MIPS, PowerPC, Intel) and has four modules: *Monitor* (monitoring and evading the sandbox), *Watchdog* (UDP communication), *Attacker* (DDoS), *Killer* (self-destruction). Affected devices have been recorded in the USA, Brazil, Germany, Israel and a number of other countries.

3. Separately, a cryptojacking campaign TA-NATALSTATUS was discovered, which attacks unprotected Redis servers. Attackers use standard CONFIG and SET commands to create cron jobs that load malicious scripts, disable SELinux, block competitors, and launch miners. The masscan and pnscan utilities are used to search for targets in bulk.

Such campaigns demonstrate the evolution of cybercrime techniques – instead of aggressive resource extraction, attackers are moving to “low-profile” monetization models. ORB networks, the use of legitimate SDKs, and cloud services mask activity, making attacks almost invisible to administrators. Masking techniques, including renaming system utilities, complicate forensics and threat detection.

Modern attacks on GeoServer, Redis, and IoT devices indicate a radical shift in cybercrime: from classic botnets to complex infrastructures for proxies, DDoS, and cryptomining. They combine stealth, scalability, and flexibility. For businesses, this means proactive monitoring, regular patching, and multi-layered defenses, as new campaigns like PolarEdge or gayfemboy can go undetected for years.