Security

Cyble uncovers sophisticated Linux Malware combining Mirai-Based DDoS with Fileless Cryptominer

by VARINDIA 2025-12-15

Cyble Research & Intelligence Labs (CRIL) has identified an active and sophisticated Linux-targeting campaign that merges Mirai-derived DDoS botnet capabilities with a stealthy, fileless XMRig-based cryptominer, representing a significant evolution in IoT and cloud-targeted threats.

The campaign, leveraging the V3G4 Mirai variant, employs a multi-stage infection chain designed to compromise Linux servers and IoT devices across x86_64, ARM, and MIPS architectures while maintaining persistent access for both denial-of-service attacks and cryptocurrency mining operations simultaneously.

"This hybrid threat represents the ongoing evolution of Mirai-lineage botnets, where threat actors are increasingly blending traditional DDoS capabilities with covert cryptomining to maximize return on investment," said Daksh Nakra, Senior Manager of Research and Intelligence at Cyble. "The fileless configuration approach and advanced evasion techniques make detection and forensic analysis significantly more challenging."

Key Technical Findings

Multi-Stage Infection Chain

● Initial compromise via Universal Bot Downloader that automatically identifies victim system architecture

● Deployment of architecture-specific V3G4 binaries (UPX-packed, stripped ELF files)

● Third-stage payload delivers concealed XMRig Monero miner with dynamic runtime configuration

Advanced Stealth Capabilities

● Masquerades as legitimate systemd-logind daemon to evade process inspection tools

● Detaches from TTY and suppresses outputs to eliminate visible tracking

● Uses localhost TCP socket for internal IPC, blending with legitimate system traffic

● Fileless miner configuration delivered at runtime, avoiding on-disk artifacts

Aggressive Network Behavior

● High-speed raw TCP SYN packet scanning on port 22 for SSH brute-force propagation

● Multi-threaded DNS queries to Google DNS (8.8.8.8) for C2 domain resolution

● Persistent C2 communication to baojunwakuang[.]asia (159.75.47[.]123)

● Dual-purpose infrastructure supporting both botnet commands and miner configuration

Dual Monetization Strategy

The campaign exemplifies emerging hybrid monetization approaches where threat actors leverage compromised systems for multiple revenue streams:

DDoS Botnet Capabilities:

● Large-scale SSH scanning and brute-force attacks across the internet

● IP spoofing and raw socket manipulation for network disruption

● Behavioral patterns consistent with V3G4/Mirai forks previously documented by Unit42

Cryptocurrency Mining:

● XMRig-based Monero miner disguised as /tmp/.dbus-daemon

● Dynamic configuration fetching via TCP from C2 server

● JSON-based parameter delivery including wallet addresses, pool URLs, and algorithm settings

● Real-time updates without exposing static wallet information during analysis

Target Environment

The campaign primarily targets:

● Cloud-based Linux workloads

● Exposed IoT devices across multiple architectures

● Unpatched servers running vulnerable services

● Systems with weak SSH credentials

The multi-architecture approach (x86_64, ARM, MIPS) enables broad compatibility across diverse Linux environments, from enterprise cloud infrastructure to consumer IoT devices.

Recommendations for Organizations

Cyble recommends immediate defensive measures for organizations operating Linux servers, cloud workloads, or IoT devices:

Immediate Actions:

● Harden external attack surfaces and patch known vulnerabilities

● Implement strong SSH authentication with multi-factor authentication

● Monitor for processes masquerading as system daemons

● Deploy network monitoring for unusual DNS queries to 8.8.8.8

● Watch for raw socket activity and high-volume SYN scanning on port 22

Long-Term Security:

● Implement runtime monitoring solutions for container and cloud environments

● Conduct proactive threat hunting using provided IoCs

● Regularly audit IoT devices for default credentials and exposed services