Cyble researchers have identified new Linux malware that combines Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, enabling both network disruption and financial profit in the same threat campaign. “This campaign represents a sophisticated and financially motivated operation combining botnet propagation with stealthy cryptomining,” Cyble threat intelligence researchers wrote in a blog post today. Stealthy techniques and processes allow the new Mirai variant to conduct its mischief in secret. “The attacker employs multiple advanced techniques—including raw-socket scanning, masqueraded processes, internal localhost IPC, dynamic DNS resolution, and fileless miner configuration—to evade detection and maintain long-term persistence on compromised devices,” the researchers said.

Linux Malware Combines Mirai Botnet with XMRig Cryptominer

Combining Mirai-based DDoS botnet capabilities with XMRig-based cryptomining capabilities reflects a growing trend of “hybrid monetization strategies, where threat actors maximize ROI by leveraging infected devices not only for botnet attacks but also for illicit cryptocurrency mining,” the researchers wrote. Organizations operating Linux servers, cloud workloads, or exposed IoT devices “should prioritize hardening and continuous monitoring to mitigate their risk,” they said. The malware uses a multi-stage infection chain that begins with a downloader delivering architecture-specific V3G4/Mirai binaries across x86_64, ARM, and MIPS systems. The second stage, Mddos.x86_64, is a statically linked and UPX-packed Executable and Linkable Format (ELF) file with stripped symbols, “making static inspection more complicated,” Cyble said. After executing and gathering system information, the Linux malware moves into stealth mode, renaming its process to appear as a system daemon (systemd-logind), detaching from the terminal, and launching parallel worker threads for attack operations, command and control (C2) communication, and inter-process communication (IPC) coordination. “A key characteristic of this botnet variant is its use of raw TCP sockets, allowing precise crafting of SYN packets for high-velocity SSH scanning campaigns,” the researchers said. At the same time, worker threads resolve the C2 domain (baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to maintain command channels. “This multi-threaded DNS resolution strategy is typical of Mirai-style bots, allowing the malware to maintain connectivity and receive commands while executing attacks in parallel,” the researchers wrote.

Fileless Cryptominer

In the third stage, the malware deploys a covert Monero cryptominer by downloading a UPX-packed XMRig binary from the IP 159.75.47[.]123 and stores it in /tmp/.dbus-daemon to masquerade as a legitimate process. Instead of a local configuration file, the miner obtains its configuration dynamically from the C2 server, “enabling real-time updates to wallet addresses, mining pools, and algorithms while leaving no on-disk artifacts” and hindering forensic analysis. “Unlike typical miner deployments that embed a static configuration file on disk ... this sample requests runtime configuration data directly from the C2 server,” the Cyble researchers said. That technique allows the threat actors to avoid exposing wallet addresses, pool endpoints and algorithms during static analysis while dynamically rotating mining parameters and preventing visibility of miner settings on the infected host. During execution, the miner connects to the C2 server to make a configuration request, and the server responds with a JSON blob containing the pool URL, wallet address, algorithm, and thread count. The full Cyble blog includes recommendations for defenders, MITRE ATT&CK techniques, and indicators of compromise (IoCs).

Cyble researchers have identified a new NFC relay attack campaign targeting users in Brazil. Dubbed “RelayNFC,” Cyble Research and Intelligence Labs (CRIL) researchers identified five phishing sites distributing the malicious app, which claims to secure payment cards. The malicious application captures the victim’s card details and relays them to attackers for fraudulent transactions. The malware is also highly evasive and remains undetected by security tools.

NFC Relay Attack App Evades Security Tools

RelayNFC is a “lightweight yet highly evasive malware” because of its Hermes-compiled payload, Cyble said. Use of the JavaScript engine “makes detection significantly harder, enabling it to stealthily capture victims’ card data and relay it in real time to an attacker-controlled server,” the researchers said. VirusTotal detections of the NFC relay attack malware were at zero at publication time, “indicating very low visibility across the security ecosystem, and the code suggests a high likelihood of continued development,” they said. RelayNFC uses a full real-time Application Protocol Data Unit (APDU) relay channel that enables attackers to complete transactions “as though the victim’s card were physically present.” The researchers also identified a related variant that attempts to implement Host Card Emulation (HCE), suggesting that the threat actor is exploring other NFC relay techniques too. Other malware strains exploiting Near-Field Communication (NFC) capabilities to intercept or relay contactless payment data have included Ngate, SuperCardX, and PhantomCard, suggesting a growing trend of NFC exploits, Cyble said.

RelayNFC Malware Relies on Phishing Sites

Distribution of RelayNFC relies entirely on phishing, tricking users into downloading the malware. The campaign uses a Portuguese-language page that prompts victims to install the malicious payment card security app (image below). [caption id="attachment_107130" align="aligncenter" width="262"] NFC relay attack phishing site (Cyble)[/caption] The researchers identified five malicious sites distributing the app, “indicating a coordinated and ongoing operation targeting Brazilian users.” Those sites include:

• maisseguraca[.]site
• proseguro[.]site
• test[.]ikotech[.]online
• maisseguro[.]site
• maisprotecao[.]site

RelayNFC appears to be a new variant built using the React Native framework and has been active for at least a month. The malware operates as a “reader,” the researchers said, capturing victim card data and relaying it to the attacker’s server. After installation, the app immediately displays a phishing screen that tells the user to tap their payment card on the device. Once the card data has been read, RelayNFC displays another phishing screen that prompts the victim to enter their 4- or 6-digit PIN.

APDU Commands Turn Device Into ‘Remote NFC Reader’

The RelayNFC code is built around a relay channel that uses a persistent WebSocket connection to forward Application Protocol Data Unit (APDU) commands between the attacker’s server and the victim’s NFC subsystem, “effectively turning the infected device into a remote NFC ‘reader’ for the attacker,” the researchers said. The NFC controller processes the command and generates a genuine APDU response, as the card would during a legitimate transaction. RelayNFC captures that output and returns it to the command-and-control server in an “apdu-resp” message, “preserving the original request ID and session ID so the attacker’s device can continue the EMV transaction seamlessly.” “This real-time, bidirectional relay of APDU commands and responses is what enables the attacker to execute a full payment flow remotely, as if the victim’s card were physically present at their POS terminal,” the researchers said. “By combining phishing-driven distribution, React Native–based obfuscation, and real-time APDU relaying over WebSockets, the threat actors have created a highly effective mechanism for remote EMV transaction fraud,” they said. The researchers said their findings underscore the need for strong device-level protections, user awareness, and monitoring by financial institutions.

Cyble and the Botswana Communications Regulatory Authority (BOCRA) have announced a strategic Memorandum of Understanding (MoU). The Cyble and BOCRA MoU is designed to provide stronger defenses, improved detection capabilities, and faster incident response for critical sectors across Botswana.  The agreement, formed in collaboration with the Botswana National CSIRT, marks an important step toward enhancing the country’s national cybersecurity posture at a time when global cyber threats continue to escalate.  

Strengthening National Cybersecurity Capabilities 

Under the Cyble and BOCRA MoU, both organizations will work closely to advance Botswana’s cybersecurity ecosystem. The collaboration will focus on building stronger cyber defense mechanisms, improving incident response readiness, and equipping national cybersecurity teams with access to Cyble threat intelligence technologies.  Cyble will provide BOCRA with real-time intelligence on emerging threats, leveraging its proprietary AI-native platforms that monitor malicious activity across the open, deep, and dark web. This advanced situational awareness will help Botswana’s security teams quickly identify risk indicators, detect suspicious activity, and mitigate threats before they escalate. The partnership aims to reduce the impact of cyber incidents on citizens, enterprises, and critical national infrastructure. 

Expanding Cyber Skills and Knowledge Transfer 

Another essential focus area of the Cyble and BOCRA MoU is capacity building. The agreement includes initiatives to enhance cybersecurity skills, support workforce development, and promote knowledge transfer. This is expected to help Botswana establish a sustainable talent pipeline capable of addressing modern cyber risks.  According to Cyble, strengthening human expertise is as crucial as deploying technical solutions. Training programs, workshops, and shared intelligence efforts will support BOCRA and the Botswana National CSIRT in their mandate to safeguard the country’s digital landscape.  Manish Chachada, Co-founder and COO of Cyble, emphasized the importance of this collaboration. “This partnership reflects our continued commitment to supporting national cybersecurity priorities across Africa. By combining Cyble’s threat intelligence expertise with BOCRA’s regulatory leadership, we are confident in our ability to strengthen Botswana’s cyber resilience and help the nation navigate the rapidly evolving threat landscape,” he said. 

About BOCRA 

The Botswana Communications Regulatory Authority serves as the national body responsible for regulating the communications sector, advancing cybersecurity programs, enhancing digital infrastructure resilience, and promoting cyber awareness across the country. As cyber threats grow more complex, BOCRA’s role in coordinating national cyber readiness becomes increasingly critical. 

About Cyble 

Cyble, an AI-first cybersecurity company, is recognized globally for its expertise in dark web intelligence, digital risk protection, and predictive cyber defense. Its platforms process more than 50TB of threat data daily, helping organizations detect, measure, and mitigate risks in real time. Cyble works with Fortune 500 enterprises and government entities worldwide, supporting the shift toward intelligent, autonomous cybersecurity solutions.  The Cyble and BOCRA MoU reinforces the shared vision of both organizations to ensure a safer, more secure digital future for Botswana.  Explore how Cyble’s AI-powered threat intelligence and digital risk protection solutions can help your business stay ahead of emerging risks.  Visit www.cyble.com to learn more. 

Ransomware attacks have soared 50% in 2025 despite major changes among the leading ransomware groups, according to a new Cyble report. Through October 21, there have been 5,010 ransomware attacks claimed by ransomware groups on their dark web data leak sites, up from 3,335 in the same period of 2024, according to a Cyble blog post. “From the decline of RansomHub to the rise of Qilin and newcomers like Sinobi and The Gentlemen, ransomware group leadership has been in flux for much of 2025, but affiliates have been quick to find new opportunities, and a steady supply of critical vulnerabilities has helped fuel attacks,” Cyble said. The threat intelligence company noted that its new threat landscape report (registration required) also documents record data breaches and supply chain attacks, as the cyber landscape has become more dangerous in general this year.

Qilin Led All Ransomware Groups Once Again

September marked the fifth consecutive monthly increase in ransomware attacks, and Qilin led all ransomware groups for the fifth time in six months, as the group has solidified its leadership in the wake of RansomHub's decline. In all, ransomware groups claimed 474 victims in September, up slightly from August (chart below). That’s well below February’s record, “yet still among the highest monthly ransomware attack totals on record,” Cyble said. [caption id="attachment_106294" align="aligncenter" width="723"] Ransomware attacks by month 2021-2025 (Cyble)[/caption] The U.S. remains by far the biggest target for ransomware groups, with its 259 victims accounting for nearly 55% of attacks in September (chart below). Germany, France, Canada, Spain, Italy and the UK remain consistent targets, but South Korea emerged a new major target, in second place behind the U.S. with 32 attacks, largely due to one campaign by Qilin. [caption id="attachment_106292" align="aligncenter" width="936"] Ransomware attacks by country September 2025 (Cyble)[/caption] Of the 32 South Korean attacks recorded in September, 29 came from Qilin’s “KoreanLeak” campaign that targeted asset management companies in the country. Cyble noted that “One of the asset management firms said its systems were impacted through a ransomware attack on its IT management provider, indicating a possible supply chain compromise affecting multiple firms simultaneously.” The campaign also made South Korea by far the most attacked country in the APAC region in September, well ahead of India, Thailand and Taiwan. Qilin’s South Korean campaign made Banking, Financial Services and Insurance (BFSI) the third most attacked sector in September, behind Construction and Manufacturing and ahead of Professional Services, IT and Healthcare (chart below). [caption id="attachment_106296" align="aligncenter" width="936"] Ransomware attacks by sector September 2025 (Cyble)[/caption]

The Emergence of The Gentlemen Ransomware Group

Qilin led all ransomware groups with 99 claimed victims, 40 ahead of second-place Akira (chart below). [caption id="attachment_106298" align="aligncenter" width="936"] Top ransomware groups September 2025 (Cyble)[/caption] The emergence of The Gentlemen was a noteworthy development, a new group that has claimed 46 victims to date. “The group’s use of custom tools targeting specific security vendors and the geographic diversity of its targets ... suggests that the group may have the resources to become an enduring threat,” Cyble said. The full Cyble blog detailed 11 significant ransomware incidents in September, including some with supply chain implications, and also included recommendations for defenders.