The attack surface of businesses has changed a lot This article explores malware condibot monaco. . Now, financially motivated attackers are systematically using network infrastructure, just like nation-state groups.
Recent research has found two new types of malware, CondiBot and Monaco, that aggressively attack network hardware for the purpose of DDoS attacks and crypto-mining. This trend fits with what people in the industry are worried about: how quickly malware distribution and APT hacking methods are changing. These campaigns show that network hardware exploitation is no longer just something that advanced persistent threats do; now a wider range of cybercriminals are using it. New Threats: CondiBot and Monaco Miner Researchers got samples of two different types of malware that were targeting network infrastructure, no matter what vendor they came from, on March 6, 2026.
The specifics of these threats are in line with earlier reports on technical security, which show how important it is to improve device-level visibility. The first version, CondiBot, is an updated version of the Condi DDoS botnet that comes from Mirai. This binary, which is written in C, is meant to hack Linux devices and turn them into remote-controlled nodes for large-scale network attacks.
How the attack works (Source: eclypsium) This new strain is different from older ones because it uses a strong delivery method that goes through several transfer options, like GET and CURL, to make sure the payload drops. Once it runs, it stops the system from rebooting, makes itself permanent, and actively hunts down and kills other botnets, like the new "/bin/sora" botnet.
Some important technical details about the CondiBot variant are: Target Architecture: Works with ARM, MIPS, and x86 versions. C2 Infrastructure: Uses port 80 to connect to IP 65.222.202.53. Unique Identifiers: Has the internal string "QTXBOT," which was not known to major threat intelligence platforms before.
Attack Capabilities: Sets up 32 different attack handlers for different ways to flood a network. How the Attack Works (Source: eclypsium) The second threat, called "Monaco," is a cryptojacking operation that is currently going on and was written in Go 1.24.0. This malware looks for open SSH servers, routers, and IoT devices on the internet and tries to get in by brute-forcing its way in with hardcoded usernames and passwords like "root" and "admin." Once Monaco has successfully hacked a device, it sends out Monero cryptocurrency miners to make money by using the hacked devices as free computing power.
The Strategic Move to Network Devices The rise of CondiBot and Monaco is part of a larger trend of more attacks on network technology. The 2025 Verizon Data Breach Investigation Report showed that hackers were taking advantage of network device vulnerabilities eight times more often. Google Threat Intelligence also said that almost a quarter of all zero-day vulnerabilities used in 2025 were aimed at network and security devices.
Specification CondiBot Variant "Monaco" Variant (DDoS Botnet) (SSH Scanner & Crypto Miner) Malware Group Mirai derivative (DDoS executor) Cryptominer Filename executor executor Language/Compiler C (linked statically, stripped) Go version 1.24.0, built on February 11, 2025 File type: ELF 64-bit x86_64, statically linked, stripped ELF 64-bit LSB executable, x86-64, statically linked As threat actors keep using network infrastructure as a weapon, eclypsium organizations need to look beyond standard endpoint security.
To fix these blind spots, you need special detection tools that keep an eye on firmware and strange behavior in network edge equipment.
