The Reveal Platform
Intel Name: Your connection, their cash: threat actors misuse sdks to sell your bandwidth
Date of Scan: August 22, 2025
Impact: Medium
Summary: This report details a stealthy campaign exploiting CVE-2024-36401, a critical RCE vulnerability (CVSS 9.8) in GeoServer, to gain access to victims’ machines and monetize their internet bandwidth. Attackers deploy legitimate or modified SDKs to turn compromised systems into residential proxies, mimicking legal monetization practices used by app developers. The campaign is notable for its low resource usage, lack of traditional malware, and focus on covert bandwidth resale. Since March 2025, threat actors have actively scanned for exposed GeoServer instances, highlighting a broad and vulnerable attack surface.
