The Androxgh0st botnet has significantly expanded its operations since 2023, with cybercriminals now compromising prestigious academic institutions to host their command and control infrastructure.<\/p>\n
This sophisticated malware campaign has demonstrated remarkable persistence and evolution, targeting a diverse range of vulnerabilities across web applications, frameworks, and Internet of Things devices to establish widespread network access.<\/p>\n
The botnet\u2019s operators have shown particular cunning in their selection of hosting infrastructure, preferring to embed their malicious operations within legitimate, trusted domains.<\/p>\n
This strategic approach not only provides operational cover but also exploits the inherent trust associated with educational and institutional websites.<\/p>\n
The choice to target academic institutions reflects a calculated decision to leverage domains that typically receive less scrutiny from security monitoring systems and maintain high reputation scores with security vendors.<\/p>\n
CloudSEK analysts identified<\/a> that the Androxgh0st operators successfully compromised a University of California, San Diego subdomain, specifically \u201capi.usarhythms.ucsd.edu,\u201d to host their command and control logger.<\/p>\n This particular subdomain appears to be associated with the USA Basketball Men\u2019s U19 National Team portal, demonstrating how attackers exploit legitimate but potentially under-monitored institutional web properties.<\/p>\n The compromise represents a significant escalation in the botnet\u2019s sophistication and operational security measures<\/a>.<\/p>\n The malware\u2019s attack methodology encompasses exploitation of over twenty distinct vulnerabilities, marking a fifty percent increase in initial access vectors compared to previous campaigns.<\/p>\n These vulnerabilities span multiple technology stacks including Apache Shiro JNDI injection flaws, Spring Framework remote code execution vulnerabilities (Spring4Shell), WordPress plugin weaknesses, and Internet of Things device command injection vulnerabilities.<\/p>\n The diversity of attack vectors<\/a> ensures broad target coverage and maximizes the likelihood of successful system compromise across different organizational environments.<\/p>\n The Androxgh0st operators deploy a sophisticated arsenal of four distinct webshells designed for persistent access and continued exploitation of compromised systems.<\/p>\n The primary webshell, \u201cabuok.php,\u201d employs hexadecimal encoding combined with PHP\u2019s eval function to execute obfuscated payloads.<\/p>\n The malicious code utilizes The \u201cmyabu.php\u201d variant demonstrates additional evasion techniques through ROT13 encoding, where This encoding method provides a simple yet effective obfuscation layer that bypasses signature-based detection systems while maintaining full remote code execution<\/a> capabilities.<\/p>\n The webshells collectively enable file upload functionality, code injection capabilities, and persistent backdoor access, ensuring that even if primary infection vectors are patched, the attackers maintain multiple pathways for continued system access and exploitation.<\/p>\n Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions ->\u00a0Try ANY.RUN now<\/strong><\/a><\/p>\n The post Androxgh0st Botnet Operators Exploiting US University For Hosting C2 Logger<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgKsgdcf3p1A1VM8HKp14eNkOCGTNWjy3d306vY-7tGDGyBI5jmMsMF2iGmA1Vt4Lr1Ze_jsSzXWa-o1_1VO0X6HKyOvNln1d0l3t_SluRRZvXrv8fUx5KibeIDiWn_NAHqOWH8FQIRjdyt9v8zVp6FYXPFLVCEKA_LHkuWFiGFRVTgQAwZnX62oA1U96Q\/s16000\/Hunting%2520for%2520malicious%2520infrastructure%2520-%2520found%2520misconfigured%2520Logger%2520and%2520Command%2520Sender%2520panels%2520%28Source%2520-%2520Cloudsek%29.webp?ssl=1\")
Webshell Deployment and Persistence Mechanisms<\/strong><\/h2>\n
eval(hex2bin())<\/code> to decode and execute embedded commands, while wrapping the payload in seemingly innocuous text strings to evade basic detection mechanisms.<\/p>\nerror_reporting(0); eval(hex2bin(\"636c617373204e7b707...\"));<\/code><\/pre>\nstr_rot13(\"riny\")<\/code> produces \u201ceval\u201d to execute arbitrary code submitted via POST requests.<\/p>\n