FBI warns criminals are building a dangerous new botnet — and it's after your Microsoft or AWS logins and more

News
By
published

Hackers are using Androxgh0st to steal credentials and mount spam campaigns

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Hackers are building a dangerous new botnet and are going after Microsoft and AWS assets in the process, a new security advisory released by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) has warned.

According to the advisory, researchers have spotted threat actors using the Androxgh0st malware to compromise computers and servers. 

They were seen scanning endpoints for three remote code execution vulnerabilities: CVE-2017-9841, CVE-2021-41773, and CVE-2018-15133. By leveraging these flaws, the attackers would use Androxgh0st to grab .env files that contain sensitive data, including (among others) login credentials for AWS and MIcrosoft assets.

Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

View Deal

Mitigating the threat

Androxgh0st is capable of more than “just” compromising vulnerable devices and stealing login credentials. It can also abuse the Simple Mail Protocol (SMTP) and check to see the sending limit for the email accounts found on the breached computers. If the limit is satisfactory, the malware can be used to mount phishing and spam campaigns. 

Furthermore, hackers can use the access to Microsoft and AWS assets to create fake pages on compromised websites, which further grants them backdoor access to databases with sensitive information. 

To remain secure, the FBI and CISA say, organizations should make sure their operating systems, software, and firmware are all updated. Making sure their Apache servers aren't running versions 2.4.49 or 2.4.50 was stressed as pivotal. Furthermore, they should make sure the default configuration for all URIs is to deny all requests, unless there’s a specific need for it to be accessible. Also, Laravel applications should not be in debug or testing mode, and cloud credentials should not be present in .env files.

The full list of the recommendations can be found on this BleepingComputer link

CVE-2018-15133, described as Laravel deserialization of untrusted data vulnerability, was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog as being actively exploited. 

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
ID theft
New Androxgh0st botnet targets vulnerabilities in IoT devices and web applications via Mozi integration
data recovery
Ghost ransomware has hit firms in over 70 countries, FBI and CISA warn
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Data leak
AWS customers hit by major cyberattack which then stored stolen credentials in plain sight
Latest in Security
A graphic showing fleet tracking locations over a city.
Lost & Found tracking site hit by major data breach - over 800,000 could be affected
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
Illustration of a hooked email hovering over a mobile phone
AWS misconfigurations reportedly used to launch phishing attacks
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Latest in News
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Google Pixel 9 Pro
Here are the 7 best Pixel 9 and Pixel Watch 3 features landing in March’s Pixel Feature Drop
Bang & Olufsen Beogram 4000C Saint Laurent Rive Droite Edition
Bang & Olufsen's latest reworked turntable is a masterpiece of retro revival, in a breathtaking wooden presentation box
Apple Watch Series 10
Apple unveils new Apple Watch bands – here's what's in the Spring 2025 collection
More about security
A graphic showing fleet tracking locations over a city.

Lost & Found tracking site hit by major data breach - over 800,000 could be affected
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.

Microsoft Teams and other Windows tools hijacked to hack corporate networks
A shot showing the flags of New Zealand and South Africa

New Zealand vs South Africa live stream: How to watch ICC Champions Trophy semi-final online (available for free)
See more latest
Most Popular
A business woman looking at AI on a transparent screen
Businesses are facing an "AI Divide" - which could be the difference between success and failure
Google Gemini iPhone Lock Screen
You can now access Gemini from your iPhone's lock screen
Apple Vision Pro with Dassault Systèmes 3DEXPERIENCE platform
Dassault Systèmes teams up with Apple to use Vision Pro headsets to bring spatial CAD to life
Samsung 18.1-inch foldable OLED monitor
Samsung has launched a flexible portable monitor complete with a briefcase, one that seems to come straight from a James Bond movie
GenMachine Zhi mini pc
This is the smallest AMD PC I've ever seen: mysterious manufacturer uses Ryzen 3 APU with surprising results
Beelink ME Mini
One of our favorite mini PC vendors has launched a NAS that looks a bit like Apple's PowerMac G4 Cube PC - but way smaller
Michelle, Keats, and Doctor Amherst looking unimpressed and worried in The Electric State
Netflix drops trailer for The Electric State, and I'm getting serious District 9 vibes
YouTube TV
YouTube TV might be planning a big Netflix update that puts the best streaming services first
Maserati MC20 Autonomous
This AI-driven Maserati just hit 197.7mph without a human behind the wheel
AI data center
Is Microsoft hesitating on AI? Days after CEO said it would be upping capacity, analyst claims tech giant has actually cancelled data center leases