The researchers observed a malicious IP address, previously flagged for conducting SSH brute force attempts, communicating with a malicious shell script named hoze. This script downloads xrx.tar, an archive that contains more scripts that uninstall security software and enable executable permissions, and config.json, which is a crypto-mining configuration file.
The investigation also revealed a public SSH key related to the threat actor, previously associated with an earlier CoinMiner campaign also targeting misconfigured Linux SSH Servers. Based on this connection and the presence of the crypto-mining configuration file, the researchers concluded that this latest campaign is most likely targeting servers to hijack them for crypto-mining as well.