Luno: A “Self-Healing” Linux Botnet That Mines Crypto and Launches DDoS Attacks

Cyble Research and Intelligence Labs (CRIL) has discovered an active in-the-wild Linux botnet campaign dubbed “Luno,” which combines cryptomining, remote command execution, and modular DDoS capabilities into a single resilient malware framework.

According to CRIL, “The Luno Botnet campaign is carried out with a dual motivation: Cryptomining and DDoS-as-Service.” Unlike typical cryptominers or DDoS botnets, LunoC2 demonstrates long-term infrastructure ambitions, integrating process masquerading, binary replacement, and a self-update system that ensures persistence and monetization flexibility.

The malware showcases unusually strong resilience. CRIL notes that “LunoC2 incorporates robust anti-analysis, self-healing via infinite loop watchdogs, signal resistance for termination signals, and disguises itself as legitimate processes.”

It also uses session detachment (setsid) to daemonize execution and employs mkstemp polymorphism to generate unique filenames for its self-updates, leaving fewer forensic traces. Additionally, it terminates any unauthorized process attempting to use its sockets, ensuring exclusivity for its operations.

Luno silently deploys the popular XMRig miner. As CRIL explains, “The malware then silently downloads the xmrig miner from main.botnet[.]world… and saves it as /bin/ash.” This binary replacement targets resource-constrained Linux distributions like BusyBox, Alpine Linux, and OpenWrt, maximizing CPU usage for Monero mining while blending into legitimate system utilities.

One of Luno’s most notable features is its modular DDoS engine. CRIL reports: “The DDoS modules are specifically designed to target gaming platforms and offer a range of attack capabilities.”

The botnet supports dozens of DDoS attack types, including udp-flood, syn-flood, HTTP floods, WebSocket floods, RakNet floods, fake Minecraft logins, Roblox-specific floods, and Valorant QUIC floods. These methods are tunable by target, time, method, and threads — evidence of a botnet-for-hire model targeting gaming services.

The threat actors behind Luno actively advertise and manage operations via Telegram. CRIL observed: “It was identified that the threat actor is selling DDoS services via a Telegram channel created on 28/07/2025.” The operator, using the handle “udpboss”, frequently updates the modules and tests them against real-world infrastructure providers like Hetzner and nuxt[.]cloud.

CRIL concludes that “LunoC2 represents a step-change in Linux botnet sophistication. Its ability to replace core system binaries, run a watchdog-driven self-healing loop, mine cryptocurrency, and launch modular DDoS attacks marks it as both a financially motivated cryptojacker and a botnet-as-a-service platform.”

Given its resilience, adaptability, and monetization potential, defenders are urged to treat Luno as a long-term threat to internet-facing Linux servers, particularly those hosting online games and services.

Related Posts:

• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks
• DDoS Onslaught: Hacktivists and Botnets Drive Massive Surge in Cyber Attacks
• Attacker use DDoS attack to hit three major Dutch banks
• Cloudflare Mitigates Record 7.3 Tbps DDoS Attack: 37.4 TB in 45 Seconds