New Linuxsys Cryptominer Campaign Exploits Apache HTTP Server & Other Critical Flaws
Researchers at VulnCheck have uncovered a new malicious campaign exploiting the CVE-2021-41773 vulnerability in Apache HTTP Server version 2.4.49. This flaw enables remote code execution by bypassing path traversal protections, allowing attackers to access unauthorized files. The primary objective of these attacks is to deploy a Linux-based cryptominer known as Linuxsys.
The malware spreads via compromised legitimate websites that serve a shell script, which in turn downloads the miner from five distinct sources. The use of valid SSL certificates on these hosts hinders detection, while the distributed nature of the delivery infrastructure further obscures the threat’s origin. A secondary script, cron.sh, ensures persistence by reactivating the miner upon system reboot. Additionally, researchers have discovered Windows executable files, suggesting the campaign may also target Microsoft’s operating system.
Previously, this same miner was disseminated via the CVE-2024-36401 vulnerability in GeoTools, a component of OSGeo GeoServer. That campaign also relied on similar distribution tactics and featured Sudanese-language comments embedded in its code. Comparable scripts have been observed online since December 2021.
The following vulnerabilities have also been identified as part of the attackers’ arsenal:
- CVE-2023-22527 — Atlassian Confluence
- CVE-2023-34960 — Chamilo LMS
- CVE-2023-38646 — Metabase
- CVE-2024-0012 and CVE-2024-9474 — Palo Alto Networks
This campaign is marked by its focus on well-known vulnerabilities, strategic avoidance of low-engagement traps, and extensive use of compromised sites to discreetly distribute malware.
Concurrently, Fortinet experts have reported a surge in activity from the H2Miner botnet, which is propagating the Kinsing trojan. This malware disables antivirus processes and installs XMRig, a popular Monero cryptominer. Infected systems are also seeded with the Lcrypt0rx ransomware, written in VBScript, which disables critical Windows tools, deactivates security software, and attempts to destroy the Master Boot Record (MBR). However, it does not store encryption keys and uses a rudimentary XOR algorithm, making data recovery feasible without paying a ransom.
Lcrypt0rx further downloads additional malicious payloads including Cobalt Strike, ScreenConnect, DCRat, and credential stealers. Its behavior suggests it functions more as a psychological weapon than a true ransomware threat. Fortinet believes this may be a deliberate diversionary tactic to shift focus away from the campaign’s core goal: cryptomining.
The observed parallels between the Linuxsys and H2Miner campaigns underscore the growing commercialization of cybercrime. The widespread availability of off-the-shelf tools and AI-powered automation is lowering the technical barrier to entry, enabling large-scale attacks even by low-skilled actors. Such campaigns pose an especially severe threat to cloud infrastructures, amplifying both operational costs and business risks.
