Source: hackread.com – Author: Deeba Ahmed.
New CloudSEK findings show Androxgh0st botnet evolving. Academic institutions, including UC San Diego, hit. Discover how this sophisticated threat uses RCE and web shells, and steps to protect against it.
A recent investigation by CloudSEK shared with Hackread.com, reveals a major evolution in the Androxgh0st botnet’s operations, demonstrating a sharp increase in its ability to compromise systems. The botnet, first observed in early 2023, is now leveraging a wider array of initial access methods, including the exploitation of misconfigured servers belonging to academic institutions.
Notably, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued a security advisory in January 2024, raising awareness about Androxgh0st’s expansion.
Key Targets and Tactics
CloudSEK’s findings indicate that the botnet has expanded its arsenal of attack vectors by approximately 50% since an earlier report in 2024. A concerning discovery was a command-and-control (C2) logger panel hosted on a subdomain of the University of California, San Diego (“USArhythms”). It is associated with content for the USA Basketball Men’s U19 National Team.
This shows a trend where botnet operators utilize legitimate, yet vulnerable, public domains to host their malicious infrastructure, making detection more challenging. Previously, CloudSEK also reported the botnet hosting its logger on a Jamaican events aggregator platform.
The Androxgh0st botnet exploits well-known vulnerabilities in popular software frameworks such as Apache Shiro and Spring Framework, along with issues in WordPress plugins and Lantronix IoT devices. These exploits have serious consequences, including the ability to run unauthorized code, steal sensitive information, and even initiate cryptocurrency mining on compromised systems.
CloudSEK had predicted in its first report that Androxgh0st operators would introduce new malicious programs into their toolkit by mid-2025, a prediction that now appears to be unfolding.
Understanding the Threat
According to the company’s report, the Androxgh0st botnet gains initial access through various Initial Access Vectors (IAVs), which are the pathways into a system. Once inside, attackers communicate with compromised devices via Command-and-control (C2) servers. A key goal is Remote Code Execution (RCE), enabling them to run their own code on distant computers.
This is often achieved using complex methods like JNDI Injection and OGNL Injection, particularly effective against Java-based applications. These advanced techniques allow Androxgh0st to bypass security and maintain persistent control, frequently by installing webshells.
Protecting Against Androxgh0st
In light of these developments, organizations, especially academic institutions and those using the affected software are urged to take immediate action. CloudSEK recommends patching all systems vulnerable to the identified CVEs, such as those affecting Spring4Shell and Apache Shiro.
Restricting outbound network traffic for certain protocols like RMI, LDAP, and JNDI is also crucial. Regularly auditing website plugins, like Popup Maker in WordPress, and monitoring for unusual file activity are also vital steps in preventing and detecting Androxgh0st compromises.
“Shifting from its earlier focus on Chinese-linked mass surveillance campaigns to a much broader exploitation strategy, we now observe the botnet aggressively incorporating a wider array of high-impact vulnerabilities including JNDI injection, OGNL exploitation, including CVEs tied to frameworks like Apache Shiro, Spring, and Fastjson,” said Koushik Pal, Threat Research, CloudSEK.
Original Post url: https://hackread.com/androxgh0st-botnet-expand-exploit-us-university-servers/
Category & Tags: Security,Cyber Attacks,Malware,AndroxGh0st,Botnet,Cyber Attack,Cybersecurity,IoT,security,Vulnerability – Security,Cyber Attacks,Malware,AndroxGh0st,Botnet,Cyber Attack,Cybersecurity,IoT,security,Vulnerability
Views: 4
