Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth

On March 8, 2025, a threat actor group began a new campaign exploiting a vulnerability in the GeoServer geospatial database, specifically CVE-2024-36401.
This critical-severity remote code execution vulnerability has a CVSS score of 9.8.
Initial exploit attempts originated from the source IP address 108.251.152[.]209, delivering a customized executable, hosted at 37.187.74[.]75.
The executable distributed two primary payloads, “transfer.sh” and “update.sh”, both of which appeared to download and launch ’ Nakala ’ malware.
Multiple vendors on VirusTotal flagged the distribution IP address 37.187.74[.]75 as malicious.
As of this writing, exploit attempts continue, and the customized executable distribution hosts remain online.

Fast Feed