New Malware Strains Exploit Network Devices for DDoS and Crypto Mining
On March 6, 2026, security researchers uncovered two previously undetected malware strains CondiBot and Monaco targeting Linux-based routers, IoT devices, and enterprise network equipment. Both strains evaded major threat intelligence platforms, including VirusTotal and ThreatFox, until their discovery.
CondiBot, a Mirai-based DDoS botnet, infects devices by cycling through multiple file transfer utilities (wget, curl, tftp, ftpget) to deliver its payload. Once executed, it disables reboot utilities, registers with a command-and-control (C2) server, and awaits attack commands. The malware includes 32 attack modules an expansion from earlier variants and actively kills competing botnets to monopolize system resources. A new internal identifier, "QTXBOT," suggests a possible fork or separate development group.
Monaco, written in Go 1.24.0, brute-forces weak SSH credentials to deploy Monero cryptocurrency mining software on compromised servers, routers, and IoT devices. Unlike CondiBot, it focuses on stealthy resource exploitation rather than DDoS attacks.
Researchers from Eclypsium noted that these campaigns reflect a broader trend: financially motivated threat actors are increasingly targeting network infrastructure, a tactic once dominated by nation-state groups. The 2025 Verizon Data Breach Investigation Report highlighted an 8x increase in exploits targeting network devices, with a median patching time of 30 days far slower than the zero-day exploit window. Google Threat Intelligence Group further reported that 25% of all zero-day exploits in 2025 targeted network and security systems.
A critical challenge is the visibility gap in enterprise security. Most endpoint detection tools cannot monitor embedded firmware in network appliances, allowing attackers to operate undetected for extended periods. CondiBot’s persistence mechanisms including hardware watchdog manipulation make infections difficult to remove without physical intervention.
The emergence of these strains underscores the growing threat to network infrastructure, where unpatched devices and weak credentials create prime targets for both DDoS and cryptojacking operations.
Source: https://cybersecuritynews.com/new-malware-campaigns-turn-network-devices/
Verizon cybersecurity rating report: https://www.rankiteo.com/company/verizon
Google Cloud Security cybersecurity rating report: https://www.rankiteo.com/company/googlecloudsecurity
Eclypsium, Inc. cybersecurity rating report: https://www.rankiteo.com/company/eclypsium
"id": "VERGOOECL1773851169",
"linkid": "verizon, googlecloudsecurity, eclypsium",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': ['Technology', 'Telecommunications'],
'type': ['Enterprise',
'IoT device manufacturers',
'Network infrastructure providers']}],
'attack_vector': ['Brute-force SSH credentials',
'Exploitation of unpatched network devices',
'File transfer utilities (wget, curl, tftp, ftpget)'],
'date_detected': '2026-03-06',
'date_publicly_disclosed': '2026-03-06',
'description': 'On March 6, 2026, security researchers uncovered two '
'previously undetected malware strains CondiBot and Monaco '
'targeting Linux-based routers, IoT devices, and enterprise '
'network equipment. CondiBot is a Mirai-based DDoS botnet that '
'infects devices by cycling through multiple file transfer '
'utilities and includes 32 attack modules. Monaco brute-forces '
'weak SSH credentials to deploy Monero cryptocurrency mining '
'software. Both strains evaded major threat intelligence '
'platforms until their discovery.',
'impact': {'operational_impact': 'Monopolization of system resources by '
'malware',
'systems_affected': ['Linux-based routers',
'IoT devices',
'Enterprise network equipment']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident underscores the growing threat to network '
'infrastructure due to unpatched devices and weak '
'credentials, as well as the visibility gap in enterprise '
'security for embedded firmware. Persistence mechanisms '
'like hardware watchdog manipulation make infections '
'difficult to remove without physical intervention.',
'motivation': ['Financial gain', 'Resource exploitation'],
'post_incident_analysis': {'corrective_actions': ['Improve patch management',
'Enforce strong '
'authentication',
'Enhance monitoring for '
'network appliances'],
'root_causes': ['Unpatched network devices',
'Weak SSH credentials',
'Visibility gap in enterprise '
'security for embedded firmware']},
'recommendations': ['Improve patch management for network devices',
'Enforce strong SSH credentials',
'Enhance monitoring for embedded firmware in network '
'appliances',
'Implement network segmentation to limit lateral movement',
'Deploy adaptive behavioral WAF and on-demand scrubbing '
'services for DDoS mitigation'],
'references': [{'source': 'Eclypsium'},
{'source': '2025 Verizon Data Breach Investigation Report'},
{'source': 'Google Threat Intelligence Group'}],
'response': {'third_party_assistance': 'Eclypsium'},
'title': 'New Malware Strains Exploit Network Devices for DDoS and Crypto '
'Mining',
'type': ['DDoS', 'Cryptojacking'],
'vulnerability_exploited': ['Unpatched network devices',
'Weak SSH credentials']}