Watchdog

Also known aswatchdog

WatchDog is a Linux-focused cryptojacking group active since at least January 2019. In the provided content it is identified as one of several rival cryptomining families and is associated with artifacts and process names including pdefenderd, updatecheckerd, meminitsrv, dbused, and phpguard. The content also references WatchDog crontab injection payloads found on a compromised, exposed Redis 8.4.0 instance at 212.113.98.33; the reporting explicitly states that the NEKOBYTE server was a victim of compromise and not infrastructure operated by WatchDog. WatchDog is mentioned in the context of competition among Linux cryptomining malware families, with another malware family maintaining kill lists that target WatchDog-associated processes and artifacts. No high-confidence nation-state attribution is provided in the content.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics6 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0002

Execution

1 technique

T1053

Scheduled Task/Job

T1053.003

Cron

TA0003

Persistence

1 technique

T1053

Scheduled Task/Job

T1053.003

Cron

TA0004

Privilege Escalation

1 technique

T1053

Scheduled Task/Job

T1053.003

Cron

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

trend micro researchNews

Jun 23, 2026

From Langflow to Monero: Inside CVE-2026-33017 Cryptominer | Trend Micro (US)

Referenced as a rival cryptomining family/operator whose known process names are included in the lambsys kill list.

breakglass intelNews

Mar 7, 2026

From Honeypot Hit to Russian State MITM: How a Single PostgreSQL Scan Led Us to a 128,000-IP Surveillance Empire - Breakglass Intelligence - Breakglass Intelligence

Cryptojacking group associated with Redis compromise and crontab injection payloads; mentioned here as compromising a NEKOBYTE server as collateral activity, not as the operator of the MITM infrastructure.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.