What happened
Researchers from Eclypsium identified two previously undocumented malware strains targeting Linux-based network devices: a new CondiBot variant derived from the Mirai malware family and a cryptomining operation called Monaco. The CondiBot sample is designed to turn compromised devices into remotely controlled DDoS nodes, while Monaco scans the internet for exposed SSH servers, brute-forces access, and mines Monero on infected systems. Both malware strains support multiple hardware architectures, including ARM, MIPS, x86, and x86_64, allowing them to run across routers, firewalls, IoT devices, and servers. Eclypsium said the findings show financially motivated actors are increasingly targeting the same network-device blind spots once more commonly associated with advanced espionage groups.Â
Who is affected
Organizations and users operating vulnerable Linux-based network devices, including routers, firewalls, IoT systems, and exposed SSH servers, are affected, as both malware strains are designed to infect and persist on these environments.Â
Why CISOs should care
The campaign highlights how network infrastructure is becoming a primary target not only for nation-state actors but also for botnet operators and cryptomining groups, increasing the risk of disruption, persistence, and resource theft across enterprise environments.Â
3 practical actions
- Audit Linux-based network devices for unauthorized processes. Review routers, firewalls, and servers for suspicious activity tied to CondiBot or Monaco.Â
- Harden SSH access. Replace weak or default credentials and restrict SSH access to trusted IP addresses.Â
- Monitor outbound connections and credential theft activity. Monaco was observed sending stolen SSH credentials to attacker-controlled infrastructure.Â
For more coverage of crypto-related threats and financially motivated malware activity, explore our reporting under the Crypto tag.