Hackers Exploit Apache Flaw To Drop Linuxsys Cryptominer Payload

HomeNews* Researchers uncovered a new attack exploiting a known vulnerability in Apache HTTP Server to deploy the Linuxsys cryptocurrency miner.

• The attackers use compromised legitimate websites and the CVE-2021-41773 path traversal flaw to evade detection and spread Malware.
• Malware is distributed through shell scripts and launches automatically after system reboot; evidence shows the threat also targets Windows systems.
• This campaign leverages various known software vulnerabilities, suggesting a long-term, coordinated effort for illicit coin mining.
• A separate campaign uses a sophisticated backdoor called GhostContainer to target government Exchange servers in Asia for espionage. Cybersecurity firms have identified a new malware campaign where attackers exploit a security weakness in the Apache HTTP Server to distribute a cryptocurrency mining tool named Linuxsys. The attacks, detected in July 2025, specifically target the CVE-2021-41773 bug in Apache version 2.4.49, allowing unauthorized users to run code remotely on vulnerable servers.

• Advertisement - Threat actors distribute the malware by compromising legitimate websites and using them as delivery points. According to VulnCheck, the attackers initiate infections from an Indonesian IP address and utilize a download server, “repositorylinux[.]org,” to fetch malicious shell scripts. These scripts are responsible for downloading the Linuxsys miner from various trustworthy domains, making detection harder since the connections use valid SSL certificates.

The shell script automates the installation process and drops another script, “cron.sh,” which ensures the miner launches every time the system reboots. VulnCheck observed that some of the compromised sites also contain Windows malware files, indicating the campaign’s reach may extend beyond Linux systems. Attackers have previously exploited critical vulnerabilities, such as a flaw in OSGeo GeoServer GeoTools (CVE-2024-36401), for similar mining activities. Comments within the malware source code are written in Sundanese, suggesting a connection to Indonesia.

Other software vulnerabilities used in past attacks to deploy the miner include template injection in Atlassian Confluence (CVE-2023-22527), command injection in Chamilo LMS (CVE-2023-34960), and similar flaws in Metabase and Palo Alto firewalls (CVE-2024-0012 and CVE-2024-9474). “All of this indicates that the attacker has been conducting a long-term campaign, employing consistent techniques such as n-day exploitation, staging content on compromised hosts, and coin mining on victim machines,” VulnCheck reported.

In a separate incident, Kaspersky warned of a targeted attack against government servers in Asia through a custom malware called GhostContainer. The attackers may have exploited a remote code execution bug (CVE-2020-0688) in Microsoft Exchange Servers. This backdoor allows full access to compromised servers without connecting to external command centers, hiding instructions inside normal web requests, which increases stealth.

The campaigns demonstrate persistent targeting of publicly known software flaws and sophisticated tactics to maintain a low profile while carrying out mining and espionage operations.

Previous Articles:

• Trump Tariff Threat Derails BRICS Push for Common Currency
• Lithuania’s Axiology Gains DLT License for Digital Bond Trading
• BlackRock Invests $916M in Bitcoin, Ethereum as Crypto Holdings Surge
• Bitcoin Hits $123K as Trump Task Force Report Sparks Market Buzz
• XRP Nears $200B Market Cap, Surges 35% Against Bitcoin in July

• Advertisement -