Wiz Research uncovered a sophisticated malware campaign by the Romanian-speaking Diicot threat group targeting Linux systems, especially in cloud environments. This campaign demonstrates notable advancements over previous iterations, such as corrupted UPX headers, cloud-specific payload behavior, and improved persistence mechanisms. Diicot, previously documented for its use of self-propagating tools, cryptomining malware, and evasion techniques, has further refined its capabilities, adapting to modern defenses and leveraging insights from threat intelligence. Their new malware variants include cloud-aware payloads that prioritize spreading in cloud environments and deploy cryptominers in traditional setups, emphasizing the attackers’ strategy to exploit both environments efficiently.
Key features of this campaign include the use of HTTP-based C2 communication, advanced brute-force techniques to exploit weak SSH credentials, and modular payloads with reverse shell and scanning capabilities. Evidence from attacker-controlled servers reveals a significant focus on cryptomining, with over $16,000 traced to Monero mining alone. The campaign's infrastructure has been active since October 2024, with frequent updates to evade detection.