PolarEdge, Gayfemboy, and EAGLEDOOR: Botnets and APTs Exploit GeoServer Vulnerability

  • Post author:
  • Reading time:5 mins read

Cybercriminals and advanced persistent threat (APT) actors are increasingly converging on a stealth-first, profit-driven, and persistence-focused model of operations. Recent discoveries highlight how both financially motivated threat groups and nation-state-backed APTs are exploiting known vulnerabilities and misconfigurations to build botnets, monetize bandwidth, mine cryptocurrency, and conduct espionage.

At the center of many of these campaigns is the critical OSGeo GeoServer GeoTools flaw (CVE-2024-36401, CVSS 9.8), which has been actively weaponized for both cybercrime and espionage. From IoT botnets like PolarEdge and Mirai-variant Gayfemboy, to cryptojacking operations abusing Redis servers, and now a suspected China-based APT group Earth Baxia deploying the EAGLEDOOR backdoor, the threat landscape is rapidly evolving.

Background on Botnets and Malware Campaigns

PolarEdge IoT Botnet

First observed in mid-2023, PolarEdge is a large-scale IoT botnet composed of compromised enterprise firewalls, routers, IP cameras, and VoIP phones. Its operators install a custom TLS backdoor (based on Mbed TLS) to maintain encrypted command-and-control, evade detection, and relay traffic like an Operational Relay Box (ORB). At its peak, PolarEdge controlled 40,000+ devices, with infections concentrated in South Korea, the U.S., Hong Kong, Sweden, and Canada.

Gayfemboy (Mirai Variant)

The Gayfemboy botnet is a sophisticated Mirai derivative targeting multiple architectures, including ARM, MIPS, PowerPC, and Intel x86. It introduces sandbox evasion, watchdog persistence, and DDoS attack functionality across UDP, TCP, and ICMP. Active globally in countries like Brazil, Germany, Israel, and Vietnam, it has targeted sectors ranging from manufacturing to media and communications.

Redis Cryptojacking (TA-NATALSTATUS)

Financially motivated groups continue to weaponize unauthenticated Redis instances (port 6379). The TA-NATALSTATUS group exploits Redis misconfigurations to deliver cryptocurrency miners, eliminate rival malware, and block Redis access to secure exclusive control. Its updated toolkit features rootkit-like stealth, binary replacements (e.g., malicious ps, top, curl), and timestamp tampering to hide processes from administrators and forensic tools.

Earth Baxia and the EAGLEDOOR Backdoor

On the espionage front, Earth Baxia, a suspected China-based APT, has been exploiting CVE-2024-36401 alongside spear-phishing to infiltrate government, telecom, and energy organizations across the APAC region. The infection chain involves phishing lures in Simplified Chinese, decoy documents, and malicious archives that eventually deliver Cobalt Strike and a new backdoor named EAGLEDOOR.

  • Cobalt Strike: Used for persistence, lateral movement, and preparing for backdoor deployment.
  • EAGLEDOOR: Delivered via DLL side-loading, supports C2 communications over DNS, HTTP, TCP, and Telegram Bot API. It can exfiltrate data via curl.exe, and download/upload additional payloads.
  • Tactics: Earth Baxia employs GrimResource exploitation and AppDomainManager injection to deploy next-stage malware and evade detection.

Vulnerability Details 

  • CVE-ID: CVE-2024-36401
  • CVSS Score: 9.8 (Critical) 
  • EPSS Score: 94.42%
  • Vulnerability: Remote Code Execution (RCE) vulnerability 
  • Affected Product: GeoServer versions prior to 2.22.6, 2.23.6, 2.24.4, and 2.25.2, GeoTools versions prior to 29.6, 30.4, and 31.2.

Infection Method

Initial Access

  • Attackers scan for publicly exposed and unpatched GeoServer instances.
  • In targeted campaigns (e.g., Earth Baxia), spear-phishing emails with malicious ZIP/MSC attachments are also used to gain a foothold.

Exploitation

  • The attacker exploits CVE-2024-36401, a remote code execution vulnerability in GeoServer GeoTools, to execute arbitrary code on the vulnerable server.

Payload Delivery

  • Malicious executables are dropped from attacker-controlled infrastructure (often via private transfer.sh instances instead of standard web servers).
  • In cybercrime campaigns: binaries written in Dart are deployed to monetize bandwidth or act as lightweight loaders.
  • In Earth Baxia campaigns: the flaw is abused to deliver Cobalt Strike beacons.

Execution & Persistence

  • The executables run in the background with minimal resource consumption to avoid detection.
  • Cobalt Strike is used as a stager to deploy the EAGLEDOOR backdoor via DLL side-loading.
  • Persistence is achieved through cron jobs, watchdog processes, or DLL hijacking, depending on the actor.

Command-and-Control (C2)

  • For monetization campaigns: executables communicate with bandwidth-sharing services or proxy infrastructure.
  • For Earth Baxia:
    • EAGLEDOOR communicates with C2 servers using DNS, HTTP, TCP, and Telegram Bot API.
    • Data exfiltration occurs via curl.exe.

Impact

Stealth Monetization: Using GeoServer exploits to deploy bandwidth-sharing executables that generate passive income without overloading system resources.

Relay & Obfuscation: PolarEdge demonstrates how IoT devices can be converted into relays for further compromises (ORB infrastructure).

Resource Hijacking: Redis-based cryptojacking drains system resources, while eliminating competitors and concealing operations.

Espionage: Earth Baxia’s use of Cobalt Strike + EAGLEDOOR illustrates how state-aligned actors use the same vulnerabilities for data theft and intelligence collection.

Visual Flow

Initial Access (scanning/spear-phishing) -> Exploitation (CVE-2024-36401 RCE) -> Payload Delivery (Dart binaries / Cobalt Strike) -> Execution & Persistence (background execution, DLL side-loading, cron/watchdog) -> Command & Control (bandwidth services / EAGLEDOOR over DNS, HTTP, TCP, Telegram, data exfil via curl.exe).

Mitigation Steps

  • Upgrade GeoServer to version 2.22.6, 2.23.6, 2.24.4, or 2.25.2, and GeoTools to version 29.6, 30.4, or 31.2.
  • Download the patch versions 2.25.1, 2.24.3, 2.24.2, 2.23.2, 2.21.5, 2.20.7, 2.20.4, 2.19.2, and 2.18.0 from https://geoserver.org to obtain the gt-app-schema, gt-complex, and gt-xsd-core jar files. Replace the corresponding files in WEB-INF/lib of the affected system for restoration.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.