New Malware Campaigns Turn Network Devices Into DDoS Nodes and Crypto-Mining Bots
Key Takeaways Two novel malware strains, CondiBot and Monaco, are actively compromising network infrastructure, including routers, IoT devices, and enterprise equipment. CondiBot, a Mirai-based...
Key Takeaways
- Two novel malware strains, CondiBot and Monaco, are actively compromising network infrastructure, including routers, IoT devices, and enterprise equipment.
- CondiBot, a Mirai-based variant, transforms infected Linux devices into DDoS botnet nodes, while Monaco, a Go-based SSH scanner and crypto miner, deploys Monero mining software.
- These campaigns represent a growing trend where financially motivated actors are leveraging vulnerabilities previously favored by nation-state APTs.
- Traditional endpoint security tools often lack visibility into these embedded network devices, allowing malware to persist undetected for extended periods.
- Immediate action is required, including strong SSH credentials, firmware integrity monitoring, and rapid patching, to mitigate the risk.
Cybersecurity researchers have uncovered two previously undocumented malware campaigns that are stealthily converting critical network infrastructure into tools for malicious operations. These sophisticated strains are turning routers, various IoT devices, and enterprise network hardware into involuntary participants in large-scale distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining schemes.
Table Of Content
The emergence of these campaigns underscores a significant evolution in the threat landscape, where attackers are increasingly targeting the foundational network components that organizations rely on daily.
Discovery of New Threats: CondiBot and Monaco
On March 6, 2026, security analysts successfully captured fresh samples of these two distinct and previously uncataloged malware strains.
The first, dubbed CondiBot, functions as a DDoS botnet. It is built upon the widely recognized Mirai framework and engineered to infect Linux-based network devices, subsequently transforming them into remotely controllable nodes capable of unleashing overwhelming traffic floods against targeted systems.
The second strain, named “Monaco,” presents itself as an advanced SSH scanner and cryptocurrency miner. Developed using Go 1.24.0, Monaco infiltrates servers, routers, and IoT devices by brute-forcing weak SSH credentials. Once access is gained, it covertly deploys Monero cryptocurrency mining software.
Notably, neither CondiBot nor Monaco had been previously detected or flagged by prominent threat intelligence platforms such as VirusTotal, ThreatFox, or Hybrid Analysis prior to their discovery.
Researchers from Eclypsium were instrumental in identifying both malware strains. Their findings highlight a critical shift: targeting network infrastructure is no longer exclusively the domain of nation-state advanced persistent threat (APT) groups. The analysis confirms an escalating trend where financially motivated actors, including those engaged in crypto-mining, are actively exploiting the same vulnerabilities that state-sponsored hackers have historically favored.
Escalating Threat Landscape
This concern is further corroborated by broader trends in the threat landscape. The 2025 Verizon Data Breach Investigation Report indicated an alarming eight-fold increase in vulnerability exploits specifically targeting network devices. The report also noted a median time to exploit of zero days, while the median time to patch these vulnerabilities extended to 30 days.
Reinforcing this observation, Google’s Threat Intelligence Group reported that nearly a quarter of all zero-day vulnerabilities exploited in 2025 were directed at network and security systems. This data unequivocally confirms that this particular attack surface is rapidly becoming a primary battleground for malicious actors.
A significant factor contributing to the danger posed by these campaigns is a fundamental visibility gap prevalent in most enterprise environments. The majority of endpoint detection and response (EDR) tools are completely blind to the embedded firmware layers of network appliances. Since these devices cannot host traditional security agents, attackers can operate with impunity for months, silently siphoning compute power or establishing footholds for more extensive attacks against downstream targets.

CondiBot’s Infection Mechanism and Persistence Tactics
CondiBot initiates its attack sequence immediately upon gaining access to a vulnerable Linux device. Its payload delivery mechanism employs a diverse array of file transfer utilities, including wget, curl, tftp, and ftpget. This multi-pronged approach ensures the malicious binary successfully reaches its target, irrespective of the specific tools available on the compromised device.
Once executed, the binary takes immediate steps to secure its presence by disabling the system’s reboot utilities. It achieves this by setting their file permissions to 000, effectively preventing a simple system restart from clearing the infection. Following this, CondiBot establishes a connection to its command-and-control (C2) server, registering itself using a unique bot identifier.
After successful registration, CondiBot enters a waiting state, actively listening for attack commands from the C2 server. Upon receiving an order, it deploys one of its 32 registered attack handlers against the specified target. This represents a notable expansion compared to earlier Condi variants documented by Fortinet in 2023, which featured a significantly smaller number of attack modules. Analysts also extracted a string labeled “QTXBOT” from the binary, an internal identifier not found in previous Condi documentation, suggesting this could be a forked variant or a distinct build maintained by a different developer group.
The malware also employs aggressive tactics to eliminate competing botnets on the same infected device, including terminating a process named /bin/sora. This ensures CondiBot maintains exclusive control over the compromised system’s resources. Furthermore, it manipulates the hardware watchdog feature to keep the device operational without interruption, making the infection exceptionally difficult to remove without direct physical intervention.
What You Should Do
- Enforce Strong SSH Security: Implement strong, unique SSH credentials across all internet-facing devices and disable default passwords immediately.
- Monitor Firmware Integrity: Apply firmware integrity monitoring solutions to routers, firewalls, and all IoT equipment to detect unauthorized modifications.
- Prioritize Patching: Apply security patches as quickly as possible, especially given the observed zero-day exploit timelines for network devices.
- Monitor Network Traffic and Processes: Continuously monitor network appliances for unusual outbound traffic patterns and unexpected processes, which could indicate compromise.
- Enhance Visibility: Investigate security solutions that offer deeper visibility into the embedded firmware layers of network devices, beyond traditional endpoint agents.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.