New malware targets Linux network devices for DDoS, crypto mining

Security researchers have discovered two previously undocumented malware strains targeting Linux-based network devices, confirming that financially motivated actors are now exploiting the same vulnerabilities once associated with nation-state espionage, reports Cyber Security News.

The CondiBot variant, derived from Mirai, transforms compromised systems into DDoS attack nodes, while "Monaco" scans for exposed SSH servers, brute-forces credentials, and mines Monero cryptocurrency. Both malware samples support multiple architectures including ARM, MIPS, and x86, enabling them to infect virtually any vulnerable Linux device regardless of hardware vendor. CondiBot's persistence mechanisms include disabling system reboot utilities and manipulating hardware watchdogs while killing competing botnet processes.

Monaco sends stolen credentials to a command-and-control server on Alibaba Cloud. The discoveries align with broader threat trends: the 2025 Verizon DBIR recorded an eightfold increase in vulnerability exploitation against network devices, with median patch time of 30 days versus zero-day exploitability. Google's Threat Intelligence Group found nearly a quarter of zero-days exploited in 2025 targeted network and security technologies.