Androxgh0st Malware Targets Cloud Services - CISA Alert AA24-016A

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On January 16, 2024, The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Androxgh0st malware [1]. Androxgh0st malware targets .env files that contain confidential data for cloud services such as AWS, Office 365, SendGrid, and Twilio to establish a botnet. The malware also exploits known but critical vulnerabilities to abuse their target's web applications. 

In this blog, we explained the vulnerabilities used by Androxgh0st malware and how organizations can defend themselves against Androxgh0st malware attacks.

Androxgh0st Malware

Androxgh0st malware was first observed in late April 2022 and designed to extract confidential information from exposed Laravel .env files. Many cloud services such as AWS, Office 365, SendGrid, and Twilio use the Laravel .env files as a repository for environment variables, which are key-value pairs that store sensitive or configuration-specific information. Additionally, adversaries use the Androxgh0st malware for scanning, deploying webshells, and exploiting exposed credentials and APIs.

Androxgh0st malware often targets vulnerable web services and abuses known vulnerabilities like PHPUnit CVE-2017-9841, Laravel CVE-2018-15133, and Apache CVE-2021-41773 vulnerabilities.

PHPUnit CVE-2017-9841 Vulnerability

As an initial access vector, Androxgh0st threat actors abuse the PHPUnit CVE-2017-9841 vulnerability. This vulnerability allows adversaries to execute arbitrary commands in the target web service by sending malicious HTTP POST requests to the PHPUnit. 

curl --data "<?php <malicious_payload>;" http://localhost:8888/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

Example 1: PoC Exploit for PHPUnit CVE-2017-9841 RCE Vulnerability

After initial access, adversaries deploy the Androxgh0st malware to download additional malware and backdoors to the compromised network. Organizations are advised to patch their vulnerable PHPUnit modules as soon as possible.

Laravel Framework CVE-2018-15133 Vulnerability

As another initial access vector, adversaries utilize a botnet to scan for websites that use the Laravel web application framework and look for a publicly exposed root-level .env file. Since .env files are commonly used to store credentials and access tokens, adversaries aim to extract sensitive information from these files to access user's email and AWS accounts. 

Moreover, Androxgh0st threat actors abuse the Laravel CVE-2018-15133 vulnerability for remote code execution. The vulnerability allows adversaries to execute arbitrary commands remotely using XSRF token values. Adversaries exploit this vulnerability by encrypting their malicious PHP payload with the Laravel application key and crafting an HTTP GET request with the payload as an XSRF token cookie.

Organizations are advised to ensure their live Laravel applications are not in debug or testing mode. Also, all cloud credentials should be removed from .env files and revoked.

Apache CVE-2021-41773 Vulnerability

Androxgh0st threat actors are also observed to scan for web servers running Apache versions 2.4.49 or 2.4.50. These two versions are vulnerable to the CVE-2021-41773 path traversal vulnerability, and adversaries use this vulnerability to obtain credentials and execute code remotely. 


Example 2: PoC Exploit for Apache CVE-2021-41773 RCE Vulnerability

Organizations are advised to patch their vulnerable Apache servers as soon as possible. For more detailed information, you can check our blog post on Apache CVE-2021-41773 vulnerability.

How Picus Helps Simulate Androxgh0st Malware Attacks?

We also strongly suggest simulating Androxgh0st malware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against hundreds of other malware variants, such as AveMaria, DarkGate, and PikaBot, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Androxgh0st malware

Threat ID

Threat Name

Attack Module


AndroxGh0st Hacking Tool Download Threat

Network Infiltration


AndroxGh0st Hacking Tool Email Threat

Email Infiltration (Phishing)

Androxgh0st threat actors also use other tools and vulnerabilities in their attack campaigns.  Picus Threat Library includes the following threats for other tools and vulnerabilities used by Androxgh0st threat actors:

Threat ID

Threat Name

Attack Module


PHPUnit Web Attack Campaign

Web Application


Apache Http Server Web Attack Campaign

Web Application


XMRig Cryptocurrency Miner Download Threat

Network Infiltration


XMRig Cryptocurrency Miner Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Androxgh0st malware and other malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Androxgh0st malware:

Security Control

Signature ID

Signature Name

Cisco FirePower



Forcepoint NGFW



Forcepoint NGFW



Fortigate AV



Fortigate AV



Palo Alto



Palo Alto





FILE-EXECUTABLE Win.Trojan.CoinMiner attempted download

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Complete Security Validation Platform.


[1] "Known Indicators of Compromise Associated with Androxgh0st Malware," Cybersecurity and Infrastructure Security Agency CISA. Available: [Accessed: Jan. 17, 2024]