Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/New Malware Campaigns Turn Network Devices Into DDoS Nodes and Crypto-Mining Bots
Threats

New Malware Campaigns Turn Network Devices Into DDoS Nodes and Crypto-Mining Bots

Key Takeaways Two novel malware strains, CondiBot and Monaco, are actively compromising network infrastructure, including routers, IoT devices, and enterprise equipment. CondiBot, a Mirai-based...

Jennifer sherman
Jennifer sherman
March 18, 2026 4 Min Read
65 0

Key Takeaways

  • Two novel malware strains, CondiBot and Monaco, are actively compromising network infrastructure, including routers, IoT devices, and enterprise equipment.
  • CondiBot, a Mirai-based variant, transforms infected Linux devices into DDoS botnet nodes, while Monaco, a Go-based SSH scanner and crypto miner, deploys Monero mining software.
  • These campaigns represent a growing trend where financially motivated actors are leveraging vulnerabilities previously favored by nation-state APTs.
  • Traditional endpoint security tools often lack visibility into these embedded network devices, allowing malware to persist undetected for extended periods.
  • Immediate action is required, including strong SSH credentials, firmware integrity monitoring, and rapid patching, to mitigate the risk.

Cybersecurity researchers have uncovered two previously undocumented malware campaigns that are stealthily converting critical network infrastructure into tools for malicious operations. These sophisticated strains are turning routers, various IoT devices, and enterprise network hardware into involuntary participants in large-scale distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining schemes.

Table Of Content

  • Key Takeaways
  • Discovery of New Threats: CondiBot and Monaco
  • Escalating Threat Landscape
  • CondiBot’s Infection Mechanism and Persistence Tactics
  • What You Should Do

The emergence of these campaigns underscores a significant evolution in the threat landscape, where attackers are increasingly targeting the foundational network components that organizations rely on daily.

Discovery of New Threats: CondiBot and Monaco

On March 6, 2026, security analysts successfully captured fresh samples of these two distinct and previously uncataloged malware strains.

The first, dubbed CondiBot, functions as a DDoS botnet. It is built upon the widely recognized Mirai framework and engineered to infect Linux-based network devices, subsequently transforming them into remotely controllable nodes capable of unleashing overwhelming traffic floods against targeted systems.

The second strain, named “Monaco,” presents itself as an advanced SSH scanner and cryptocurrency miner. Developed using Go 1.24.0, Monaco infiltrates servers, routers, and IoT devices by brute-forcing weak SSH credentials. Once access is gained, it covertly deploys Monero cryptocurrency mining software.

Notably, neither CondiBot nor Monaco had been previously detected or flagged by prominent threat intelligence platforms such as VirusTotal, ThreatFox, or Hybrid Analysis prior to their discovery.

Researchers from Eclypsium were instrumental in identifying both malware strains. Their findings highlight a critical shift: targeting network infrastructure is no longer exclusively the domain of nation-state advanced persistent threat (APT) groups. The analysis confirms an escalating trend where financially motivated actors, including those engaged in crypto-mining, are actively exploiting the same vulnerabilities that state-sponsored hackers have historically favored.

Escalating Threat Landscape

This concern is further corroborated by broader trends in the threat landscape. The 2025 Verizon Data Breach Investigation Report indicated an alarming eight-fold increase in vulnerability exploits specifically targeting network devices. The report also noted a median time to exploit of zero days, while the median time to patch these vulnerabilities extended to 30 days.

Reinforcing this observation, Google’s Threat Intelligence Group reported that nearly a quarter of all zero-day vulnerabilities exploited in 2025 were directed at network and security systems. This data unequivocally confirms that this particular attack surface is rapidly becoming a primary battleground for malicious actors.

A significant factor contributing to the danger posed by these campaigns is a fundamental visibility gap prevalent in most enterprise environments. The majority of endpoint detection and response (EDR) tools are completely blind to the embedded firmware layers of network appliances. Since these devices cannot host traditional security agents, attackers can operate with impunity for months, silently siphoning compute power or establishing footholds for more extensive attacks against downstream targets.

Mechanism of Attack (Source - Eclypsium)
Mechanism of Attack (Source – Eclypsium)

CondiBot’s Infection Mechanism and Persistence Tactics

CondiBot initiates its attack sequence immediately upon gaining access to a vulnerable Linux device. Its payload delivery mechanism employs a diverse array of file transfer utilities, including wget, curl, tftp, and ftpget. This multi-pronged approach ensures the malicious binary successfully reaches its target, irrespective of the specific tools available on the compromised device.

Once executed, the binary takes immediate steps to secure its presence by disabling the system’s reboot utilities. It achieves this by setting their file permissions to 000, effectively preventing a simple system restart from clearing the infection. Following this, CondiBot establishes a connection to its command-and-control (C2) server, registering itself using a unique bot identifier.

After successful registration, CondiBot enters a waiting state, actively listening for attack commands from the C2 server. Upon receiving an order, it deploys one of its 32 registered attack handlers against the specified target. This represents a notable expansion compared to earlier Condi variants documented by Fortinet in 2023, which featured a significantly smaller number of attack modules. Analysts also extracted a string labeled “QTXBOT” from the binary, an internal identifier not found in previous Condi documentation, suggesting this could be a forked variant or a distinct build maintained by a different developer group.

The malware also employs aggressive tactics to eliminate competing botnets on the same infected device, including terminating a process named /bin/sora. This ensures CondiBot maintains exclusive control over the compromised system’s resources. Furthermore, it manipulates the hardware watchdog feature to keep the device operational without interruption, making the infection exceptionally difficult to remove without direct physical intervention.

What You Should Do

  • Enforce Strong SSH Security: Implement strong, unique SSH credentials across all internet-facing devices and disable default passwords immediately.
  • Monitor Firmware Integrity: Apply firmware integrity monitoring solutions to routers, firewalls, and all IoT equipment to detect unauthorized modifications.
  • Prioritize Patching: Apply security patches as quickly as possible, especially given the observed zero-day exploit timelines for network devices.
  • Monitor Network Traffic and Processes: Continuously monitor network appliances for unusual outbound traffic patterns and unexpected processes, which could indicate compromise.
  • Enhance Visibility: Investigate security solutions that offer deeper visibility into the embedded firmware layers of network devices, beyond traditional endpoint agents.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitHackerMalwarePatchSecurityThreatVulnerabilityzero-day

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Threat Actors Use Fake Shops to Target Winter Olympics 2026 Fans

Next Post

Fancy Bear Exposes Stolen Credentials, 2FA Secrets from NATO-Linked Targets

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us