Androxgh0st

Threat Actor updated a month ago (2024-11-29T13:45:44.844Z)
Download STIX
Preview STIX
Androxgh0st, a notable threat actor in the cybersecurity landscape, has been actively targeting systems since January 2024. According to CloudSEK's Threat Research team, Androxgh0st has begun exploiting vulnerabilities in web servers, specifically targeting high-profile technologies like Cisco ASA, Atlassian JIRA, and multiple PHP frameworks. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory in early 2024 alerting organizations to Androxgh0st’s capacity for systematic exploitation across various CVEs, further emphasizing the severity of this threat. In addition to its initial activities, recent developments have revealed that Androxgh0st has integrated elements from the Mozi botnet into its operations. Despite the disruption of Mozi, command-and-control logs indicate that Mozi's payloads have been reintegrated into Androxgh0st’s botnet infrastructure. This integration has created a more extensive infection network, thereby increasing the threat actor's reach to Internet of Things (IoT) environments, a tactic previously associated with Mozi. The FBI and CISA have issued warnings about the Androxgh0st botnet, which is being used for victim identification and exploitation. Furthermore, Androxgh0st is also targeting IoT devices, continuing the tactics historically associated with Mozi, which primarily impacted routers and DVRs across China, India, and Albania before its creators were arrested in 2021. In terms of prevalence among malware families, Androxgh0st follows FakeUpdates, impacting 8% of worldwide organizations, indicating its widespread influence in the cybersecurity landscape.
Description last updated: 2024-11-07T19:02:21.168Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Botnet
Exploit
Laravel
Aws
Remote Code ...
Apache
CISA
Credentials
Web Shell
Fortiguard
Vulnerability
Source
Exploits
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2017-9841 Vulnerability is associated with Androxgh0st. CVE-2017-9841 is a critical vulnerability in the PHP testing framework, PHPUnit. It is a software flaw that allows attackers to gain initial access to systems by exploiting it to download and execute a Perl script, thereby opening a reverse shell on the compromised machine. This vulnerability was acUnspecified
3
The CVE-2021-41773 Vulnerability is associated with Androxgh0st. CVE-2021-41773 is a significant software vulnerability identified in Apache HTTP Server 2.4.49, which pertains to an issue of path traversal. This flaw in the software's design or implementation allows an attacker to access sensitive information or execute arbitrary code on the server by exploiting Unspecified
3
Source Document References
Information about the Androxgh0st Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
SANS ISC
6 days ago
Checkpoint
6 days ago
InfoSecurity-magazine
2 months ago
Checkpoint
3 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
CERT-EU
a year ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
SANS ISC
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago
Checkpoint
6 months ago
Securityaffairs
6 months ago
Securityaffairs
7 months ago
Checkpoint
7 months ago
Fortinet
8 months ago
Securityaffairs
8 months ago