Security researchers reported several distinct but related findings showing how attackers are abusing Linux-based infrastructure for botnets, cryptomining, and post-compromise operations. Eclypsium identified a new CondiBot variant labeled QTXBOT and a previously undocumented Monaco cryptominer targeting network devices and exposed SSH services, with Monaco using brute-force access and exfiltrating stolen credentials to a command-and-control server hosted on Alibaba Cloud Singapore. Separately, Hunt.io exposed an Iranian-operated relay and botnet environment through an open directory, revealing a 15-node tunnel network, SSH-based mass deployment tooling, on-host compilation of DDoS malware, and active command-and-control infrastructure.
Flare also documented how threat actors repeatedly use the legitimate open-source script Bench.sh after initial access to profile compromised systems, including JupyterLab, Jupyter Notebook, SSH, Apache Tomcat, and PHP-based environments, in order to assess CPU, memory, disk, and bandwidth for follow-on abuse such as cryptomining, proxying, or DDoS. The reporting does not describe a single shared intrusion campaign: the CondiBot/Monaco discovery, the Iranian botnet infrastructure exposure, and Bench.sh abuse are separate research items connected by the broader theme of attackers operationalizing compromised Linux and network infrastructure. A separate report on FancyBear/APT28 email theft and a general weekly security recap are different topics and should be excluded.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Darktrace researchers reported the first documented case of Chaos malware being adapted from routers and edge devices to target 64-bit Linux servers. The newly observed sample also added SOCKS5 proxy capability, suggesting uses beyond DDoS attacks and cryptomining.
On 2026-03-17, Hunt.io disclosed an exposed open directory on 185.221.239[.]162:8080 that revealed a threat actor's working environment, then pivoted from a shared Let's Encrypt certificate for *.server21[.]org to map a 15-node infrastructure across Iranian ISPs, Hetzner in Finland, and a related OVH node in London. The disclosure connected the relay network, DDoS activity, and botnet development to a single operator.
Hunt.io observed a subsequent phase in which the operator developed an SSH-based botnet using Python deployment scripts and a compiled C client that was built directly on victim hosts and renamed "hex" for persistence. The botnet relied on credential-based SSH access and reconnection logic to maintain infected systems.
The same exposed environment showed a later phase in which the operator compiled and used DDoS tools, including MHDDOS, indicating active attack operations beyond relay services. Researchers assessed this as a distinct escalation from infrastructure setup to offensive use.
Hunt.io found evidence that an Iran-based or Farsi-speaking operator first built a KCP-based Paqet tunnel network across infrastructure tied to Iranian ISPs and other hosting providers to support censorship-circumvention services. This was identified as the earliest operational phase visible in the exposed server files and shell history.
In a subset of the intrusions analyzed by Flare, attackers moved beyond reconnaissance and deployed follow-on payloads including a cryptominer and Mirai malware. Other compromises ended after benchmarking, suggesting Bench.sh was used as a triage step to judge host value.
Flare reported repeated real-world abuse of the legitimate Bench.sh benchmarking script after compromise of exposed services including JupyterLab, Jupyter Notebook, SSH, Apache Tomcat, and PHP applications. Attackers used the tool to quickly assess CPU, memory, disk, and bandwidth before deciding whether to monetize or further weaponize access.
On 2026-03-06, researchers documented two previously unreported Linux malware families targeting network devices: a new Mirai-derived CondiBot variant and a Go-based Monero miner called Monaco. The findings showed financially motivated actors increasingly targeting routers, firewalls, IoT devices, and similar infrastructure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcehunt.io
Open sourceflare.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.