• Home
  • cyber
  • Juniper Networks and Alibaba Cloud: Malware Operators Hijack Network Devices For DDoS Attacks and Crypto Mining
cyber Cyber Attack

Juniper Networks and Alibaba Cloud: Malware Operators Hijack Network Devices For DDoS Attacks and Crypto Mining

Mar 6, 2026 2 min read
Juniper Networks and Alibaba Cloud: Malware Operators Hijack Network Devices For DDoS Attacks and Crypto Mining

Cybercriminals Shift Focus to Network Infrastructure as New Malware Strains Emerge

Security researchers have uncovered a surge in attacks targeting network infrastructure, including routers, firewalls, and IoT devices, as threat actors pivot away from traditional endpoints. This trend, once dominated by nation-state actors, is now being exploited by financially motivated attackers for large-scale DDoS campaigns and cryptocurrency mining.

On March 6, 2026, researchers identified two new malware strains CondiBot and Monaco designed to compromise Linux-based systems and network devices. CondiBot, a Mirai-derived botnet variant, infects devices across ARM, MIPS, and x86 architectures, disabling reboot functions and removing competing malware before launching DDoS attacks. It spreads via multiple download methods, including wget, curl, and TFTP, and connects to a command-and-control (C2) server for further instructions.

Meanwhile, Monaco, written in Go, scans the internet for exposed SSH services, using brute-force attacks with common passwords to gain access. Once inside, it deploys Monero mining software, kills competing miners, and exfiltrates stolen credentials to its C2 infrastructure often hosted on Alibaba Cloud. The malware targets servers, routers, and Juniper networks, optimizing system performance to maximize cryptocurrency output.

These campaigns reflect a broader shift in cyber threats, with attackers increasingly exploiting unpatched vulnerabilities and weak configurations in internet-facing systems like VPNs and gateways. Network devices pose a unique risk due to limited security monitoring, allowing attackers to maintain persistence, intercept traffic, and move laterally within compromised environments. The rise of CondiBot and Monaco underscores how cybercriminals are blending disruption with profit-driven tactics, making network infrastructure a critical attack vector.

Source: https://cyberpress.org/network-devices-hijacked-globally/

Juniper Networks cybersecurity rating report: https://www.rankiteo.com/company/juniper-networks

Alibaba Group cybersecurity rating report: https://www.rankiteo.com/company/alibaba-group

"id": "JUNALI1773930337",
"linkid": "juniper-networks, alibaba-group",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'type': ['Network infrastructure providers',
                                 'Enterprises with exposed SSH services']}],
 'attack_vector': ['Brute-force attacks',
                   'Exploiting unpatched vulnerabilities',
                   'Weak configurations'],
 'data_breach': {'data_exfiltration': True,
                 'type_of_data_compromised': ['Credentials']},
 'date_detected': '2026-03-06',
 'date_publicly_disclosed': '2026-03-06',
 'description': 'Security researchers have uncovered a surge in attacks '
                'targeting network infrastructure, including routers, '
                'firewalls, and IoT devices, as threat actors pivot away from '
                'traditional endpoints. Two new malware strains, CondiBot and '
                'Monaco, were identified on March 6, 2026. CondiBot, a '
                'Mirai-derived botnet variant, infects devices across ARM, '
                'MIPS, and x86 architectures, disabling reboot functions and '
                'removing competing malware before launching DDoS attacks. '
                'Monaco, written in Go, scans for exposed SSH services, uses '
                'brute-force attacks to gain access, deploys Monero mining '
                'software, and exfiltrates stolen credentials to its C2 '
                'infrastructure. These campaigns reflect a broader shift in '
                'cyber threats, exploiting unpatched vulnerabilities and weak '
                'configurations in internet-facing systems.',
 'impact': {'data_compromised': ['Stolen credentials'],
            'operational_impact': ['Lateral movement within compromised '
                                   'environments',
                                   'Traffic interception',
                                   'Persistence in networks'],
            'systems_affected': ['Routers',
                                 'Firewalls',
                                 'IoT devices',
                                 'Linux-based systems',
                                 'Juniper networks',
                                 'VPNs',
                                 'Gateways']},
 'initial_access_broker': {'entry_point': ['Exposed SSH services']},
 'motivation': ['Financial gain', 'Disruption'],
 'post_incident_analysis': {'root_causes': ['Unpatched vulnerabilities',
                                            'Weak configurations',
                                            'Exposed internet-facing systems']},
 'references': [{'source': 'Security researchers'}],
 'threat_actor': ['Financially motivated attackers', 'Cybercriminals'],
 'title': 'Cybercriminals Shift Focus to Network Infrastructure as New Malware '
          'Strains Emerge',
 'type': ['Malware', 'DDoS', 'Cryptocurrency Mining'],
 'vulnerability_exploited': ['Exposed SSH services',
                             'Unpatched network devices']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.