Statistics Report on Malware Targeting Linux SSH Servers in Q4 2025
AhnLab SEcurity intelligence Center (ASEC) utilizes a honeypot to respond to and classify brute-force and dictionary attacks targeting poorly managed Linux SSH servers. This post covers the status of the attack sources identified in the logs from the fourth quarter of 2025 and the statistics of attacks launched by these
GeoServer, Where Various CoinMiner Attacks Occur
AhnLab SEcurity intelligence Center (ASEC) previously covered the case of threat actors exploiting the GeoServer vulnerability to install CoinMiner and NetCat through the “CoinMiner Attacks Exploiting GeoServer Vulnerability” blog. [1] The threat actors have been continuously targeting vulnerable GeoServers to install CoinMiner. This post will cover the identified cases of
CoinMiner Malware Being Continuously Distributed via USB
In February 2025, AhnLab SEcurity intelligence Center (ASEC) confirmed in their report “Cases of CoinMiner Being Spread via USB” [1] that CoinMiner malware is being spread via USB in South Korea. In July 2025, Mandiant also released a report on the same attack series and categorized the malware being installed as
ViperSoftX Attackers Target Monero
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the ViperSoftX attackers are installing coin miners to mine Monero cryptocurrency. ViperSoftX is a remote control malware that steals cryptocurrency wallet addresses. These attackers primarily distribute malware disguised as cracks or keygens for legitimate software, or as eBooks. In addition to ViperSoftX,
Case of ActiveMQ Vulnerability Exploitation to Install Sharpire (Kinsing)
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the Kinsing threat actor is still distributing malware by exploiting known vulnerabilities. Since the disclosure of the CVE-2023-46604 vulnerability in ActiveMQ, the threat actor has been exploiting it to install malware on both Linux and Windows systems. [1] Aside from the well-known XMRig
Statistics Report of Malware Targeting Linux SSH Servers in Q3 2025
AhnLab SEcurity intelligence Center (ASEC) is using a honeypot to respond to and categorize brute-force and dictionary attacks that target poorly managed Linux SSH servers. This post covers the status of the attack sources identified in logs from the third quarter of 2025 and the statistics of attacks performed by
CoinMiner Attacks Exploiting GeoServer Vulnerability
AhnLab SEcurity intelligence Center (ASEC) has confirmed that the unpatched GeoServer is still under continuous attack. Threat actors are scanning for vulnerable GeoServer and installing CoinMiner. ASEC has also identified cases of infection in South Korea. 1. GeoServer Remote Code Execution Vulnerability (CVE-2024-36401) GeoServer is an open-source Geographic Information
Statistical Report on Malware Targeting Linux SSH Servers in Q2 2025
Overview AhnLab SEcurity intelligence Center (ASEC) conducts response and classification of brute force or dictionary attacks targeting poorly managed Linux SSH servers using honeypots. This report will cover the status of attack sources identified in the second quarter of 2025 based on logs, as well as statistics on attacks performed
Statistical Report on Malware Targeting Linux SSH Servers in Q1 2025
Overview AhnLab SEcurity intelligence Center (ASEC) conducts response and classification of brute force or dictionary attacks targeting poorly managed Linux SSH servers using honeypots. This report will cover the status of attack sources identified in the first quarter of 2025 based on logs, as well as statistics on attacks performed
CoinMiner Malware Distributed via USB
Overview AhnLab SEcurity intelligence Center (ASEC) has recently identified a case in which cryptocurrency-mining malware was being distributed via USB in South Korea. Lately, malware that mines cryptocurrencies by utilizing PC resources without user consent has been actively distributed as cryptocurrency prices surge. While cryptocurrency mining itself is not
