Lucene search

impervablogGabi StapelIMPERVABLOG:C558C456BB7DA6FB92AD2868D0C7761C
HistoryJan 31, 2024 - 2:03 p.m.

Imperva uncovers new Indicators of Compromise for FBI and CISA-flagged AndroxGh0st botnet

Gabi Stapel
indicators of compromise
microsoft office 365
apache http server
laravel framework
imperva threat research
criminal group
drupal core vulnerability
proxy ips
http requests
wso2 vulnerability
jsp webshells
xmrig cryptominer

8 High

AI Score



0.975 High




On January 16, a joint alert from FBI and CISA warned about a concerning development: the emergence of a botnet driven by AndroxGh0st malware targeting vulnerable applications and web servers. AndroxGh0st is a Python-based malware, first seen in late 2022, designed to target Laravel .env files and steal credentials for AWS, Microsoft Office 365, and other applications.

The threat actors behind this campaign target several CVEs, including:

In 2024, Imperva Threat Research has seen over 30,000 unique sites targeted in attacks attempting to exploit these vulnerabilities, predominantly in the Financial Services and Business industries.

Since late 2023, Imperva Threat Research has monitored activity from threat actors associated with the AndroxGh0st malware disclosed in CISA’s report. We’ve seen extensive exploitation of the PHPUnit code injection vulnerability (CVE-2017-9841) dropping webshells, primarily through two CISA-flagged URLs:

  • hxxps://
  • hxxps://

We can attribute this activity to the criminal group based on two key factors: the unique signature of these events aligns with CISA’s disclosure, and the identical nature of one of the payloads observed to those mentioned in the report.

CISA-disclosed payload

In addition to the CISA-disclosed payload, Imperva Threat Research discovered an additional payload containing the PHP webshell in a base64 encoded form, presumably to overcome RFI mitigations on the target host.

Additional payload discovered by Imperva Threat Research

In another notable deviation from CISA’s findings, our team also detected exploitation of an unmentioned vulnerability: the Drupal Core vulnerability CVE-2019-6340, which the AndroxGh0st threat actors used to deploy webshells. We observed the threat actors use of the same proxy IPs deploying the same webshell within a similar time frame, exploiting both the Drupal and PHPUnit vulnerabilities.

The attacks manifested as HTTP requests to /node/* endpoints with the following JSON post body:

Additionally, Imperva Threat Research observed the group attempting to use a WS02 vulnerability (CVE-2022-29464) to deploy and interact with JSP webshells. Most notably we observed the group attempting to interact with these webshells to deploy XMRig cryptominer malware, using one of the documented URLs from CISA’s disclosure.

The team observed GET requests to the following URL:

In our ongoing commitment to cybersecurity, we have implemented robust measures to safeguard against a wide array of vulnerabilities identified in the recent FBI security warning and this blog. However, we continue to advocate for regular application patching and updates as a best practice in cybersecurity.

The post Imperva uncovers new Indicators of Compromise for FBI and CISA-flagged AndroxGh0st botnet appeared first on Blog.