Security researchers have uncovered a sophisticated Linux malware campaign that merges Mirai-derived DDoS botnet capabilities with a stealthy fileless cryptominer, representing a significant evolution in IoT and cloud-targeted threats.
The malware, dubbed V3G4 by Cyble Research Intelligence Labs, employs a multi-stage infection chain designed to compromise Linux servers and IoT devices across multiple architectures while maintaining persistent access for both denial-of-service attacks and cryptocurrency mining operations.
This hybrid approach enables threat actors to maximize financial returns by leveraging infected devices for dual purposes simultaneously, creating a resilient revenue stream that continues evolving with new techniques, attack vectors, and evasion methods.
The attack begins with a compact shell script called Universal Bot Downloader that automatically identifies the victim system’s CPU architecture using the uname -m command.
Based on the detected architecture—supporting x86_64, ARM64, ARM7, ARM5, MIPS, and MIPSEL variants—the script constructs a tailored download URL and fetches the appropriate bot binary from the attacker-controlled server at 103.149.93.224.
The payload is written to the /tmp directory, assigned executable permissions via chmod, and launched immediately, following classic IoT botnet deployment patterns that prioritize speed and broad compatibility across diverse Linux environments.
Universal Bot Downloader script (Source – Cyble)
Once executed, the UPX-packed and stripped binary gathers system information through environment reconnaissance, checking kernel details and process limits to determine operational parameters.
Cyble security analysts noted the malware prints a signature banner “xXxSlicexXxxVEGA” to stdout, matching behavioral patterns of V3G4-Mirai strains previously documented in cloud infections.
The bot then enters stealth mode by attempting to masquerade as the legitimate systemd-logind daemon through prctl system calls, closes standard I/O streams, and detaches from the controlling terminal using setsid to eliminate visible process tracking and avoid suspicion completely.
Environment reconnaissance (Source – Cyble)
The malware establishes a sophisticated command-and-control infrastructure that combines raw TCP socket scanning with DNS-based resilience.
Multiple worker threads simultaneously perform high-velocity SYN packet spraying on port 22 across the internet, enabling rapid SSH brute-force propagation to new victims.
TCP SYN packets flooding over the SSH port (Source – Cyble)
Concurrently, the bot performs multi-threaded DNS queries against Google’s public DNS server (8.8.8.8) to resolve the C2 domain baojunwakuang.asia, which maps to 159.75.47.123 and serves both botnet commands and miner configuration through non-standard ports like 60194 for enhanced stealth.
Infection Mechanism and Stealth Architecture
The third-stage payload deploys a covert XMRig-based Monero miner that exemplifies the campaign’s focus on detection evasion.
Rather than embedding static configuration files, the malware fetches mining parameters dynamically from the C2 server at runtime.
The loader disguises the miner as /tmp/.dbus-daemon to blend with legitimate processes and requests configuration data via TCP, receiving a JSON blob containing wallet addresses, pool URLs, and algorithm settings without creating on-disk artifacts.
Captured cryptominer configuration (Source – Cyble)
This fileless approach allows operators to rotate mining parameters in real-time while hindering forensic analysis.
The combination of masqueraded processes, raw socket scanning, and dynamic configuration delivery demonstrates how modern botnets maximize stealth and monetization across compromised Linux environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Stealthy Linux Malware Combines Mirai-Derived DDoS Botnet and Fileless Cryptominer appeared first on Cyber Security News.
