Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign.
“This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog
post today.
Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret.
“The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.
Linux Malware Combines Mirai Botnet with XMRig Cryptominer
Combining Mirai-based
DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a
growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote.
Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their
risk,” they said.
The
malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems.
The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said.
After executing and gathering system information, the Linux
malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination.
“A key characteristic of this
botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said.
At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels.
“This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.
Fileless Cryptominer
In the third stage, the malware deploys a covert Monero
cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process.
Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis.
“Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration
data directly from the C2 server,” the Cyble researchers said.
That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host.
During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count.
The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).
Login
