Research Highlights Malware and Post-Compromise Abuse Targeting Linux Network and Server Infrastructure
Security researchers reported several distinct but related findings showing how attackers are abusing Linux-based infrastructure for botnets, cryptomining, and post-compromise operations. Eclypsium identified a new CondiBot variant labeled QTXBOT and a previously undocumented Monaco cryptominer targeting network devices and exposed SSH services, with Monaco using brute-force access and exfiltrating stolen credentials to a command-and-control server hosted on Alibaba Cloud Singapore. Separately, Hunt.io exposed an Iranian-operated relay and botnet environment through an open directory, revealing a 15-node tunnel network, SSH-based mass deployment tooling, on-host compilation of DDoS malware, and active command-and-control infrastructure.
Flare also documented how threat actors repeatedly use the legitimate open-source script Bench.sh after initial access to profile compromised systems, including JupyterLab, Jupyter Notebook, SSH, Apache Tomcat, and PHP-based environments, in order to assess CPU, memory, disk, and bandwidth for follow-on abuse such as cryptomining, proxying, or DDoS. The reporting does not describe a single shared intrusion campaign: the CondiBot/Monaco discovery, the Iranian botnet infrastructure exposure, and Bench.sh abuse are separate research items connected by the broader theme of attackers operationalizing compromised Linux and network infrastructure. A separate report on FancyBear/APT28 email theft and a general weekly security recap are different topics and should be excluded.
Related Entities
Organizations
Affected Products
Sources
Related Stories
New Botnet Research Highlights Linux SSH Compromise and SystemBC Proxy Malware at Scale
New threat research described two distinct botnet operations expanding through mass compromise. Flare reported a previously undocumented Linux botnet it dubbed **SSHStalker**, observed via an SSH honeypot and characterized by *IRC-based* command-and-control with multiple bot variants (including legacy families such as **Tsunami** and **Keiten**), automated scanning and staging (including a Golang scanner masquerading as `nmap` behavior and a compile-and-run workflow), and noisy but effective persistence via `cron` jobs that can re-establish the bot within roughly a minute if not fully removed. The tooling also included log-tampering artifacts (e.g., `utmp/wtmp/lastlog` manipulation) and a “back-catalog” of older Linux 2.6-era exploits, suggesting the operator is targeting long-tail, poorly maintained infrastructure; Flare noted playbook similarities to **Outlaw/Maxlas**-style operations but did not claim definitive attribution. Separately, reporting on a Silent Push analysis described a large **SystemBC** (aka **Coroxy/DroxiDat**) botnet comprising **10,000+** infected IPs globally, with notable concentrations in the US and additional presence across Europe and Asia. SystemBC is described as **SOCKS5 proxy malware** commonly used by threat actors to mask downstream activity and historically associated with enabling ransomware deployment; the report highlighted infections linked to **government-related domains** based on passive DNS observations, indicating potential exposure of sensitive environments even when immediate follow-on payloads were not directly observed. A third article provided general technical background on how internet-wide scanners (e.g., Shodan/Censys-style platforms) perform active service identification and banner grabbing; it is contextual but does not report on either botnet operation specifically.
1 months ago
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
3 weeks ago
Weekly Cyber Threat Roundups Highlight Linux Fileless Malware, Office Zero-Day Exploitation, and Multiple Breach Claims
Multiple weekly threat roundups and research posts reported a mix of active exploitation, new malware tradecraft, and breach claims. Ukraine’s CERT reported **APT28** rapidly weaponized a Microsoft Office zero-day (**CVE-2026-21509**) within roughly a day of Microsoft’s disclosure, using spearphishing emails with malicious DOC lures to deliver **Covenant** backdoors against Ukrainian government targets and EU-related entities. Separately, researchers described **ShadowHS**, a stealthy **fileless Linux** post-exploitation framework that runs in-memory (e.g., via `memfd`-style execution), uses encrypted multi-stage loading (AES-256-CBC), fingerprints defensive tooling (including major EDR agents), and retains operator-driven capabilities such as credential theft, lateral movement, and covert tunneling for exfiltration. Other reporting highlighted incident and exposure claims and defensive takeaways. Check Point described a **supply-chain compromise** affecting *eScan* (MicroWorld Technologies) in which malicious updates were pushed through the legitimate updater, prompting an emergency shutdown of global update services; it also noted **Crunchbase** confirmed a breach affecting **2M+ records** claimed by **ShinyHunters**, and cited extortion/leak claims involving **Qilin** (Tulsa International Airport) and **WorldLeaks** (Nike). Google’s legal/technical disruption of the **IPIDEA** residential proxy network was also cited as reducing available proxy nodes by millions and cutting off C2 domains used to route attacker traffic. Additional coverage described a phishing chain using a fake DHL invoice to abuse a signed Java utility via **DLL sideloading** (malicious `jli.dll`) and **process hollowing** into `AddInProcess32.exe` to run **Phantom Stealer**; detection-engineering updates emphasized new rules for Windows defense-evasion (e.g., tampering with Credential Guard/HVCI, disabling AMSI and the vulnerable driver blocklist) and expanded Kubernetes and Linux post-exploitation detections.
1 months ago