Hybrid Linux Threats on the Rise: Mirai-Style Botnets Meet Fileless Cryptomining

Listen to this Post

Featured Image

Introduction

Cybersecurity researchers at Cyble Research & Intelligence Labs (CRIL) have uncovered a highly sophisticated Linux-targeting campaign that merges the destructive power of a Mirai-derived botnet with the stealth of a fileless cryptominer. This hybrid threat is engineered not only to disrupt systems but also to generate significant illicit profits, primarily targeting cloud environments, Linux servers, and exposed IoT devices. With advanced evasion techniques and multi-stage infection methods, this campaign represents a growing trend in cybercrime: maximizing return on compromised infrastructure while remaining nearly invisible to traditional security tools.

Summary of the Campaign

The attack begins with a shell script named the “Universal Bot Downloader,” capable of automatically identifying the system architecture—x86_64, ARM, or MIPS—and downloading the corresponding bot binary from a malicious server. Once executed, the payload is stored in the /tmp directory, granted executable permissions, and immediately launched. The binary, named Mddos.x86_64, is packed with UPX and stripped of symbols, making static analysis difficult.

After activation, the malware masquerades as the legitimate system daemon systemd-logind through process name spoofing and detaches from the terminal to run silently. It collects system information, including kernel version, architecture, and process limits, and initializes random seeds to introduce timing variability, evading detection. The malware then spawns multiple worker threads for handling attack operations, command-and-control (C2) communication, and internal coordination via a localhost TCP listener on port 63841.

One of the key features of this botnet is its use of raw TCP sockets for high-speed SSH scanning across the internet. It floods port 22 with SYN packets, searching for vulnerable hosts to compromise. Simultaneously, it ensures resilient connectivity by repeatedly resolving its C2 domain (www.baojunwakuang[.]asia

) via Google Public DNS (8.8.8.8).

The final stage of the attack involves deploying a fileless cryptominer based on XMRig. The malware downloads a UPX-packed XMRig binary disguised as .dbus-daemon in /tmp. Rather than relying on a static configuration file, the miner dynamically fetches settings such as wallet address, mining pool, and algorithm from the C2 server at runtime. This fileless approach leaves virtually no on-disk artifacts, significantly complicating forensic analysis and detection.

By combining Mirai-style DDoS capabilities with stealthy cryptomining, the attackers maximize their profit from each infected device. This hybrid approach exemplifies a larger shift in threat actor strategy: leveraging the same compromised infrastructure for multiple monetization schemes. For organizations running Linux servers, cloud workloads, or exposed IoT devices, prioritizing system hardening, monitoring network activity, and deploying runtime monitoring solutions is critical. Regular patching, proactive threat hunting, and anomaly detection are essential to mitigate the risks posed by this evolving threat.

What Undercode Say:

The CRIL findings highlight a new sophistication in hybrid cyber threats that goes beyond simple botnets or cryptominers. The combination of Mirai-style DDoS and fileless cryptomining indicates that threat actors are increasingly seeking maximum ROI from compromised devices. Unlike traditional malware, the stealthy nature of this campaign reduces detection likelihood while maintaining persistent control over targeted systems.

The use of architecture-aware scripts suggests attackers aim for broad compatibility across diverse devices, including embedded IoT systems and cloud workloads. UPX-packing and symbol stripping further complicate analysis, delaying detection and response. The malware’s dynamic cryptomining configuration, fetched at runtime, reflects an evolution from static payloads to adaptive attacks capable of modifying behavior based on operational context, mining profitability, or detection risk.

From a defensive perspective, this campaign demonstrates that perimeter defenses alone are insufficient. Continuous monitoring, anomaly detection, and runtime behavioral analysis are critical to detecting both network reconnaissance and covert mining activity. Organizations should also enforce strict SSH hardening, including disabling password-based login, using fail2ban or similar rate-limiting tools, and actively scanning for exposed services.

Additionally, the campaign exemplifies the blurred line between financially motivated and disruptive cyber operations. Hybrid threats like this are likely to increase, as attackers realize they can monetize devices in multiple ways—launching DDoS attacks for hire while simultaneously extracting cryptocurrency revenue. The resilience mechanisms, such as repeated DNS queries to reliable resolvers, highlight the attackers’ operational sophistication and the importance of understanding threat actor tactics, techniques, and procedures (TTPs).

This attack underscores a broader trend: fileless malware is no longer limited to Windows environments. Linux systems, often considered safer due to lower visibility of malware threats, are increasingly targeted. The campaign emphasizes the need for cross-platform threat intelligence, combined with endpoint hardening, cloud workload protection, and proactive threat hunting. In sum, this campaign is a wake-up call for organizations relying on Linux infrastructure; it demonstrates that stealth, adaptability, and hybrid monetization are becoming the new norm for cybercriminal operations.

Fact Checker Results:

✅ The malware targets Linux servers, cloud workloads, and IoT devices.
✅ It uses a combination of Mirai-derived DDoS and XMRig-based fileless cryptomining.
❌ There is no evidence of successful mass-scale exploitation yet; the campaign is in active observation.

Prediction:

📊 This hybrid attack trend is likely to accelerate, with threat actors developing even more adaptive and cross-platform malware. Expect an increase in Linux-targeted campaigns that combine stealthy cryptomining with network disruption. Organizations that fail to implement proactive monitoring, anomaly detection, and rigorous patch management may face both financial loss and operational disruption.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon