Attackers are breaking into poorly secured Linux servers over SSH and planting a self-spreading cryptominer that quietly mines Monero on victim machines, according to AhnLab Security Intelligence Center (ASEC). The same operators appear to have run this campaign since at least 2023, using brute-force logins against exposed SSH services to gain a foothold.
After a successful login, the intruders download a Go-based loader named "run" that first changes the current user password, then pulls a disguised archive (pack[.]jpg) containing an XMRig miner and a propagation tool named "meta". "Meta" scans additional SSH servers using bundled credential and IP-range lists, and installs the miner on every machine it can reach, turning each victim into a launch point for the next round of attacks.
How it hides and persists
The miner copies itself to /etc/ufw/[.]Dev/oracle-monitor and /dev/shm/[.]Sys_cache_backup, registers a systemd service named oracle-service, and adds a cron @reboot entry so it survives restarts. A watchdog component re-downloads the payload if it is removed. To stay hidden, the miner runs under the names of legitimate processes such as irqbalance and kworker, and the attackers also deploy ShellBot (a Perl IRC bot capable of DDoS and remote control), the MIG Log Cleaner to wipe traces, and the XHide tool to mask process names.
What administrators should do
This campaign relies entirely on weak or reused SSH credentials, so the fix is straightforward: use long, unique passwords or, better, key-based authentication, disable password logins where possible, restrict SSH exposure with a firewall, and keep systems patched. Watch for the rogue systemd service oracle-service, unexpected miners running out of /dev/shm, and outbound connections to the mining infrastructure. The broader lesson mirrors recent warnings that Linux systems are increasingly under active attack, whether through unpatched flaws or basic credential weaknesses.
Indicators
Payload host: download[.]xrpl[.]city. Reporting server: youpost[.]in. ShellBot C2: irc[.]lat:80 and irc[.]undernet[.]org:6667. Mining pools: sad[.]lat:80, 192[.]3[.]9[.]34:80, 172[.]245[.]81[.]188:80, 146[.]19[.]213[.]82:80, and 23[.]94[.]137[.]96:80. Additional hosts observed include 45[.]88[.]91[.]151 and 185[.]242[.]3[.]57.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.