Ddos 
Mechanism of Monaco Attack | Image: Eclypsium
Security researchers at Eclypsium have identified two distinct and previously undocumented malware strains targeting Linux-based systems. On March 6, 2026, the team captured samples of a new CondiBot DDoS variant and an active cryptojacking operation dubbed “Monaco.”
These discoveries highlight the persistent threat to the Linux ecosystem, as attackers refine their tools to turn everything from high-end servers to simple IoT routers into malicious nodes.
The first threat, CondiBot, is a sophisticated evolution of the notorious Mirai botnet. This multi-architecture binary is written in C and is specifically engineered to conscript compromised Linux devices into massive, remotely controlled networks for launching large-scale Distributed Denial of Service (DDoS) attacks.
What makes this variant particularly dangerous is its vendor-agnostic nature. While early analysis focused on specific network vendors, researchers concluded it is a universal threat.
“It is a generic Linux Botnet agent that tries multiple download methods across multiple filesystems with a variety of architecture payloads for arm, mips and x86. It can work on any vulnerable linux device regardless of the vendor.”
The second strain, nicknamed “Monaco,” operates as a dual-threat SSH scanner and cryptocurrency miner. This operation targets a wide array of hardwareβincluding servers, IoT devices, and network routersβby systematically brute-forcing weak SSH credentials.
The “Monaco” infection chain is highly automated and aggressive. Upon successfully guessing a password, the malware performs a series of strategic steps:
- Reconnaissance: It scans random public IP addresses on port 22, covering an estimated 3.6 billion IPs while excluding private ranges.
- Initial Access: It utilizes a hardcoded list of over 50 common passwords, such as root, admin, 123456, and India@123.
- Deployment: On success, it copies itself to /tmp/monaco, kills any competing miners already on the system, and tunes the CPU for maximum efficiency before deploying XMRig to mine cryptocurrency.
“Reports compromised credentials back to C2 over raw TCP… Utilizes resiliency techniques (daemonization, forking backup processes), survives SIGTERM/SIGINT, and watchdog restarts.”
Eclypsium analysts assess with high confidence that the “Monaco” operation is the work of a Chinese-speaking threat actor. Evidence includes the infrastructure being hosted on Alibaba Cloud Singapore and the use of cloud IDE workspace patterns consistent with Chinese platforms.
Despite its wide reach, the researchers noted the operation currently displays “low sophistication,” citing an open directory listing on the C2 server and the use of a default XMRigCC token, mySecret.
The emergence of these threats serves as a critical reminder to secure all Linux-based infrastructure, especially at the network edge.
Recommended Defensive Measures:
- Strong Password Policies: Immediately change all default credentials on IoT devices and routers to complex, unique passwords.
- Disable Unused SSH: If remote SSH access is not required, disable it entirely or restrict it behind a VPN.
- Monitor Resource Spikes: Keep a close watch on CPU usage; sudden, unexplained spikes often indicate the presence of a hidden crypto-miner.
- Network Segmentation: Isolate IoT and network devices from critical server environments to prevent lateral movement.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
