Cybersecurity researchers uncover a sophisticated Linux campaign that blends legacy botnet capabilities with modern evasion techniques.
A newly discovered Linux malware campaign is demonstrating the evolving sophistication of threat actors by combining Mirai-derived distributed denial-of-service (DDoS) functionality with a stealthy, fileless cryptocurrency mining operation.
According to research from Cyble Research & Intelligence Labs (CRIL), the multi-stage attack targets x86_64, ARM, and MIPS architectures while employing advanced evasion techniques including process masquerading, raw socket scanning, and dynamic runtime configuration.
The campaign, which CRIL analysts have been tracking, represents a hybrid monetization strategy increasingly favored by modern threat actors.
Rather than relying solely on DDoS attacks or cryptomining, the operators maximize returns by leveraging compromised systems for both purposes simultaneously.
This approach reflects the broader trend of Mirai-lineage threats adapting to cloud and Internet-exposed Linux environments, where computational resources can be exploited for financial gain.
Multi-Stage Infection Chain
The attack begins with a compact shell script dubbed the “Universal Bot Downloader,” which automatically identifies the target system’s CPU architecture using the uname -m command.
Based on this reconnaissance, the script downloads an architecture-specific binary from the attacker-controlled server at 103.149.93[.]224.
The payload is written to the /tmp directory, assigned executable permissions, and immediately launched a tactic standard among IoT and cloud-targeting botnets seeking rapid deployment across diverse environments.
The second-stage payload, named Mddos.x86_64, is a statically linked, UPX-packed ELF binary with stripped symbols that complicates static analysis.
Upon execution, the malware gathers kernel and architecture details, checks process limits to determine operational aggressiveness, and registers the victim machine with its command-and-control infrastructure.
A signature banner reading “xXxSlicexXxxVEGA” is printed to STDOUT, matching behavioral patterns of the V3G4 Mirai variant previously documented by Unit42 in 2023.
Once initialized, the malware shifts into stealth mode by masquerading as the legitimate systemd-logind system daemon.
Using the prctl(2) system call, the process attempts to modify its command line appearance in /proc/self/cmdline, though kernel protections may prevent this modification.
The malware detaches from any controlling terminal using setsid(2) and closes standard input/output streams, running silently in the background without user visibility.
The botnet spawns multiple worker threads responsible for attack operations, watchdog supervision, and C2 communication.
Notably, it establishes a TCP listener on 127.0.0.1:63841 that functions as an internal inter-process communication channel.
This localhost traffic helps the malware blend with legitimate system daemons, making the activity less suspicious than pipes or shared memory that might trigger security monitoring.
Raw Socket Scanning and C2 Communication
A key characteristic of this variant is its use of raw TCP sockets for high-speed SSH scanning across the internet.
The malware sprays SYN packets to port 22 on numerous target IP addresses, manually crafting IPv4 packet headers to conduct automated scanning and potential brute-force campaigns.
This behavior closely matches Mirai-derived botnet families known for internet-wide SSH scanning operations.
Simultaneously, the malware creates standard TCP sockets with keepalive options for persistent C2 connections.
Multiple worker threads aggressively resolve the C2 domain www.baojunwakuang[.]asia through repeated queries to Google Public DNS (8.8.8.8), mapping to IP address 159.75.47[.]123.
This multi-threaded DNS resolution strategy ensures resilient command channels while executing attacks in parallel, a hallmark of Mirai-style botnets.
The third stage deploys a concealed XMRig-based Monero miner through sophisticated stealth techniques. The loader fetches a UPX-packed XMRig binary from the C2 server and stores it in /tmp/.dbus-daemon to blend with legitimate system processes.
Unlike typical deployments that embed static configuration files, this miner receives its configuration dynamically at runtime a fileless approach that avoids on-disk artifacts and hinders forensic analysis.
During execution, the miner connects back to the C2 server and requests configuration data, receiving a JSON blob containing pool URLs, wallet addresses, algorithm specifications, and thread counts.
This technique allows operators to dynamically rotate mining parameters without exposing wallet information during static analysis, making detection and attribution more challenging for security researchers.
This campaign exemplifies the convergence of traditional botnet capabilities with modern cryptocurrency mining operations.
The blending of DDoS functionality with XMRig-based mining reflects threat actors’ focus on maximizing return on investment from compromised devices.
Organizations operating Linux servers, cloud workloads, or exposed IoT devices face heightened risk from such hybrid threats that can simultaneously disrupt services and consume computational resources.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.