As first reported by The Hacker News, cybersecurity researchers have uncovered a surge of attacks abusing Redis servers and internet-exposed devices, turning them into infrastructure for botnets, bandwidth-hijacking proxies, and cryptocurrency mining. One campaign centers on CVE-2024-36401, a critical vulnerability in OSGeo GeoServer GeoTools, which attackers weaponized to distribute Dart-based executables. These executables covertly monetize bandwidth by mimicking legitimate app developer practices, such as embedding SDKs, to generate revenue through passive income services. With over 7,100 publicly exposed GeoServer instances worldwide, attackers are scaling this technique while keeping resource consumption low enough to avoid detection.
Source: osgeo.org.
In parallel, researchers detailed a sprawling IoT botnet dubbed PolarEdge, which leverages vulnerabilities in routers, IP cameras, VoIP phones, and even enterprise firewalls. PolarEdge acts as an Operational Relay Box (ORB) network, quietly relaying attacker traffic while devices continue to function normally, making detection difficult. The botnet has reached roughly 40,000 active devices, heavily concentrated in South Korea, the U.S., and Hong Kong. Its encrypted backdoor and dynamic infrastructure updates highlight a growing trend toward stealthy persistence over brute-force disruption.
Another campaign involves a Mirai-variant botnet named “gayfemboy”, which has expanded to target devices across Brazil, Mexico, Europe, Israel, and the U.S. With functionality spanning DDoS attacks, persistence mechanisms, sandbox evasion, and remote backdoor access, the malware demonstrates increasing complexity. Unlike traditional Mirai offshoots, this variant integrates enhanced stealth techniques, underscoring the arms race between defenders and malware developers.
Finally, exposed Redis servers are being hijacked by a cryptojacking operation attributed to TA-NATALSTATUS. Attackers scan for open Redis instances on port 6379, then use legitimate commands to schedule malicious cron jobs that disable defenses, block competing miners, and install persistence mechanisms. By renaming common binaries like ps, top, curl, and wget to evade detection, attackers conceal the miner’s presence while maximizing profits. This represents an evolution of Redis-based cryptojacking campaigns first reported in 2020, now enhanced with rootkit-like stealth features.
Healthcare organizations running Redis, IoT, or internet-exposed systems must assume they are prime targets for stealthy exploitation. Security teams should prioritize patching known vulnerabilities, enforce strict authentication and network segmentation, and continuously monitor for anomalous resource use. Since attackers are now favoring covert, long-term monetization over disruptive attacks, unnoticed compromises could silently erode system performance and data security. Proactive patch management, exposure reduction, and forensic-aware monitoring are critical for protecting sensitive medical systems from being hijacked into botnets or cryptojacking operations.
