AhnLab ASEC identified an ongoing Linux-targeted cryptomining campaign that compromises internet-exposed SSH servers using brute-force attacks against weak credentials. Once access is obtained, attackers deploy a multi-stage malware toolkit consisting of Go-based downloaders and propagation malware, customized XMRig miners, ShellBot, XHide, and log-cleaning utilities. The malware establishes persistence through systemd services and cron jobs, disguises its activity by hiding processes and manipulating common Linux commands, and continues propagating by scanning for additional vulnerable SSH servers. The campaign has reportedly been active since at least 2023 and primarily targets poorly secured Linux environments for cryptocurrency mining and additional post-compromise activities.
Type
Campaign
Actors
Pub. date
July 12, 2026
Initial access
Password attack
Impact
Resource hijacking
Observed techniques
Observed tools
Targeted technologies
References
Status
Finalized
Last edited
Jul 15, 2026 12:43 PM