Overview
- Initial access relies on automated SSH scanning and brute forcing using a Go binary that impersonates nmap, with compromised hosts scanning for additional targets.
- Persistence is maintained through one-minute cron watchdog jobs, and the malware compiles payloads on victims by installing GCC for on‑host builds.
- The toolkit mixes multiple IRC bot variants, a Perl bot, and older families like Tsunami and Keiten alongside a cache of 2009–2010 Linux kernel exploits aimed at outdated systems.
- Investigators found evidence of nearly 7,000 January scan results concentrated on cloud infrastructure, with a strong footprint on Oracle Cloud environments.
- Capabilities include AWS key harvesting, cryptomining kits such as PhoenixMiner, and DDoS tooling, yet researchers observed bots largely idle on public IRC infrastructure and recommend controls like disabling SSH password logins, monitoring compiler use and IRC-style egress, removing compilers from images, and enforcing egress filtering.