V3G4
V3G4 is a Linux-targeting Mirai-derived botnet identified by Cyble Research Intelligence Labs that is paired with a stealthy, fileless XMRig-based Monero miner. It targets Linux servers and IoT devices across multiple CPU architectures, including x86_64, ARM64, ARM7, ARM5, MIPS, and MIPSEL. The malware uses a multi-stage infection chain beginning with a shell script referred to as the Universal Bot Downloader, which determines the victim architecture via uname -m, downloads an architecture-specific binary from 103.149.93.224, writes it to /tmp, sets executable permissions, and executes it.
The bot binary is described as UPX-packed and stripped. It performs host reconnaissance, including checking kernel details and process limits, and has been observed printing the banner string "xXxSlicexXxxVEGA," which was linked by Cyble to previously documented V3G4-Mirai strains. For stealth, it masquerades as legitimate system processes such as systemd-logind, closes standard input and output, detaches from the controlling terminal using setsid, and disguises the miner process as /tmp/.dbus-daemon.
V3G4 supports both botnet and monetization functions. It conducts raw TCP socket activity and multi-threaded SYN scanning against port 22 to identify SSH services for brute-force propagation. It also performs multi-threaded DNS queries to 8.8.8.8 and resolves the domain baojunwakuang.asia, which maps to 159.75.47.123, for command-and-control. The infrastructure uses non-standard ports including 60194. A later-stage payload deploys an XMRig-based miner that retrieves its configuration dynamically at runtime over TCP as a JSON blob containing wallet addresses, pool URLs, and algorithm settings, avoiding static on-disk configuration files.
Supporting reporting also mentions V3G4 in the context of Mirai resurgence, describing it as using 13 CVEs for Linux propagation and brute-forcing SSH. High-confidence indicators directly mentioned in the content include 103.149.93.224, baojunwakuang.asia, 159.75.47.123, port 60194, the banner string "xXxSlicexXxxVEGA," and process names systemd-logind and /tmp/.dbus-daemon.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Stealth
4 techniques
Stealth
Once executed, the UPX-packed and stripped binary gathers system information through environment reconnaissance
Once executed, the UPX-packed and stripped binary gathers system information through environment reconnaissance
Credential Access
1 technique
Credential Access
Discovery
4 techniques
Discovery
Multiple worker threads simultaneously perform high-velocity SYN packet spraying on port 22 across the internet, enabling rapid SSH brute-force propagation to new victims.
Once executed, the UPX-packed and stripped binary gathers system information through environment reconnaissance, checking kernel details and process limits to determine operational parameters.
Command and Control
3 techniques
Command and Control
the bot performs multi-threaded DNS queries against Google’s public DNS server (8.8.8.8) to resolve the C2 domain baojunwakuang.asia, which maps to 159.75.47.123 and serves both botnet commands and miner configuration through non-standard ports like 60194
The attack begins with a compact shell script called Universal Bot Downloader that automatically identifies the victim system’s CPU architecture using the uname -m command... the script constructs a tailored download URL and fetches the appropriate bot binary from the attacker-controlled server at 103.149.93.224.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
V3G4 is a Mirai variant that uses a chain of 13 CVEs to propagate via SSH brute-force and exploits, rapidly expanding its botnet for DDoS operations.
V3G4 is a Mirai variant known for chaining multiple CVEs and brute-forcing SSH credentials to propagate across Linux-based IoT devices, forming large botnets for DDoS attacks.
A Mirai-derived botnet targeting Linux systems, paired with a fileless cryptocurrency miner for Monero.
A sophisticated Linux malware campaign combining Mirai-derived DDoS botnet functionality with a stealthy fileless cryptominer. It targets Linux servers and IoT devices, performs SSH brute-force propagation, establishes C2 communications, and deploys a covert miner while using process masquerading and dynamic configuration retrieval for stealth.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.