Connect with us

Hi, what are you looking for?


Incident Response

US Gov Issues Warning for Androxgh0st Malware Attacks

A joint advisory from CISA and the FBI warns about Androxgh0st malware attacks ensnaring devices in a botnet.

The US cybersecurity agency CISA and the FBI have issued a joint advisory warning about the Androxgh0st malware creating a botnet to identify and target vulnerable networks.

Written in Python, the agencies said the malware primarily targets .env files containing sensitive information, including credentials for AWS, Microsoft Office 365, SendGrid, and Twilio.

The threat can also abuse the Simple Mail Transfer Protocol (SMTP) for scanning, exploitation of stolen credentials and APIs, and web shell deployment, CISA and the FBI note.

According to the advisory, cybercriminals behind the Androxgh0st operation were also observed using scripts to scan for websites plagued by specific vulnerabilities, including CVE-2017-9841, a PHPUnit bug leading to PHP code execution via HTTP POST requests. The attacks target websites that have the /vendor folders exposed to the internet.

“Malicious actors likely use Androxgh0st to download malicious files to the system hosting the website. Threat actors are further able to set up a fake (illegitimate) page accessible via the URI to provide backdoor access to the website. This allows threat actors to download additional malicious files for their operations and access databases,” according to the CISA/FBI alert .

The advisory said the Androxgh0st botnet scans for websites using the Laravel framework, looking for exposed root-level .env files that contain credentials for additional services. The malware operators then issue requests to retrieve the sensitive information stored in those files.

“Androxgh0st malware can also access the application key for the Laravel application on the website. If the threat actors successfully identify the Laravel application key, they will attempt exploitation by using the key to encrypt PHP code.”

As part of this activity, the threat actors exploit CVE-2018-15133, a deserialization of untrusted data that allows them to upload files to the vulnerable websites. CISA added the security defect to its Known Exploited Vulnerabilities catalog on Tuesday.

Advertisement. Scroll to continue reading.

The Androxgh0st operators also target CVE-2021-41773, a path traversal in Apache HTTP Server versions 2.4.49 and 2.4.50 leading to remote code execution.

“If threat actors obtain credentials for any services using the above methods, they may use these credentials to access sensitive data or use these services to conduct additional malicious operations.”

The agencies released indicators of compromise (IoCs) associated with the Androxgh0st malware operations, as well as recommended mitigations, urging organizations to apply them as soon as possible.

Related: CISA Urges Patching of Exploited SharePoint Vulnerability

Related: CISA Warns of Apache Superset Flaw Exploitation

Related: FXC Router, QNAP NVR Vulnerabilities Exploited in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...