The Reveal Platform
Intel Name: Geoserver, where various coinminer attacks occur
Date of Scan: December 30, 2025
Impact: High
Summary: Researchers identified multiple attack campaigns abusing a GeoServer remote code execution flaw (CVE-2024-36401). The attackers indiscriminately scan the internet for exposed and vulnerable GeoServer instances. After gaining access, they install XMRig-based cryptocurrency miners on compromised servers. The payloads hijack system resources to mine cryptocurrency without authorization. Some campaigns rely on multi-stage PowerShell and Bash scripts, using certutil-based droppers and in-memory downloaders. To maintain persistence, the attackers weaken defenses by disabling security settings and adding Windows Defender exclusions.
