CloudSEK Unveils New Androxgh0st Findings

In early November, CloudSEK‘s Threat Research reported that it has discovered substantial advancements in the Androxgh0st botnet. CloudSEK highlighted in its previous report that the Androxgh0st botnet now exploits a broader range of vulnerabilities across major technologies and integrates components of the infamous IoT-focused Mozi botnet.

Active since January 2024, Androxgh0st initially targeted web servers. However, CloudSEK’s recent analysis of its command and control (C2) logs shows a pivot in tactics, indicating deployment of Mozi payloads and targeting IoT devices, further amplifying its threat profile.

CloudSEK also uncovered new findings:

CloudSEK Unveils 14 New Androxgh0st Vulnerabilities

Androxgh0st has expanded its arsenal from using 11 initial attack vectors in November 2024 to using 27 initial attack vectors within a span of one month.

1. Spring Cloud Gateway < 3.0.7 & < 3.1.1 Code Injection (CVE-2022-22947)
2. ZenTao CMS – SQL Injection (CNVD-2022-42853)
3. AJ-Report Authentication Bypass and Remote Code Execution Vulnerability (CNVD-2024-15077)
4. eYouMail – Remote Code Execution (CNVD-2021-26422)
5. Leadsec VPN – Arbitrary File Read (CNVD-2021-64035)
6. EduSoho Arbitrary File Read Vulnerability
7. UFIDA NC BeanShell Remote Code Execution (CNVD-2021-30167)
8. OA E-Cology LoginSSO.jsp SQL Injection (CNVD-2021-33202)
9. ShopXO Download arbitrary file reading vulnerability (CNVD-2021-15822)
10. Weaver OA XmlRpcServlet – Arbitrary File Read (CNVD-2022-43245)
11. Ruijie Smartweb Weak Password Leads to RCE
12. Hongjing HCM SQL injection vulnerability (CNVD-2023-08743)
13. E-Cology V9 – SQL Injection (CNVD-2023-12632) –
14. Ruckus Wireless Admin through 10.4 (CVE-2023-25717)

Chinese Threat Actor Indicators

The updated findings link Androxgh0st’s operators to Chinese CTF communities.

• Key Observations:

• • Use of “PWN_IT” string in injected payloads and command infrastructure.
  • Connections to Kanxue-hosted CTF events.
  • Evidence of July 2023 phishing bait targeting a Hong Kong hospital, aligning with behaviors of APT41 and similar state-affiliated groups.

Global Infection Trends

• There is a significant rise in infections, with a notable focus on Chinese ecosystem-specific vulnerabilities.
• The infected bots are capable of launching a DDoS attack of ~10.1 Tb/s of potential attack bandwidth Packet Rate (PPS) Metrics.

Indicators of New Tactics

• Increased targeting of technologies used within the Chinese ecosystem hints towards overlapping interests with the Chinese state.

These findings demonstrate an alarming escalation in Androxgh0st’s capabilities and the growing sophistication of its operators.

For more details, please refer to the full updated report.