Date: 12/04/2025
Severity: High
Summary
An active Linux-targeting campaign is deploying a Mirai-derived botnet called V3G4, now enhanced with a stealthy, fileless-configured XMRig Monero cryptominer. The attack uses a multi-stage chain delivering architecture-specific binaries across x86_64, ARM, and MIPS devices, where the bot disguises itself as systemd-logind, conducts reconnaissance, and performs large-scale SSH scanning. It maintains persistent C2 communication and dynamically activates a concealed miner at runtime, blending traditional Mirai DDoS capabilities with covert cryptomining.
Indicators of Compromise (IOC) List
Urls/Domains | www.baojunwakuang.asia https://103.149.93.224/bins/Mddos.x86_64 https://103.149.93.224/bins/Mddos.arm64 https://103.149.93.224/bins/Mddos.arm7 https://103.149.93.224/bins/Mddos.arm5 https://103.149.93.224/bins/Mddos.mips https://103.149.93.224/bins/Mddos.mpsl https://159.75.47.123/bins/xmrig.x86_64 Auto.c3pool.org:19999 |
IP Address | 103.149.93.224 159.75.47.123 |
Hash | 2c0261e6a3590e3554202116c5398637d0d7900895646d0aaf46d117aadd1612
8350cd4e9b2f1056c8ccdf0d1b2406b32634840aa304d535ad4b6be5b365275c
d5c55f18b1a7c01d3e4fb657b00aa677784640fef3c1742243a65ded07aeccc6
4ad4fe754acde2f79ced013d7dc7260e111ea23c7a47001e3fb16aa5d268852a
2e6fecefa3062d2306124e014643a14066981f4865dedbeffb8c1d057dc650b2
f838c2ec86c444d09956934948a28ff6459da7afe820682ead81e4a95deb703a
39ead6055306739ab969a3531bde2050f556b05e500894b3cda120178f2773be
90e28c0d2f2ce83164c2bfdcf42a8746ff055b35b81c95d4b18639b1f2e96885
|
Wallet | 4AAjsvwrMQxBJpExraeoqdKrV8bwz2kkJG7P4axGTSip46CjmCrvSa8dztbNC4n6XuLr8wiXYgxS9c979hpdmi6s3LCNNja |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://103.149.93.224/bins/Mddos.arm64" or siteurl like "https://103.149.93.224/bins/Mddos.arm64" or url like "https://103.149.93.224/bins/Mddos.arm64" or domainname like "https://103.149.93.224/bins/Mddos.arm7" or siteurl like "https://103.149.93.224/bins/Mddos.arm7" or url like "https://103.149.93.224/bins/Mddos.arm7" or domainname like "https://159.75.47.123/bins/xmrig.x86_64" or siteurl like "https://159.75.47.123/bins/xmrig.x86_64" or url like "https://159.75.47.123/bins/xmrig.x86_64" or domainname like "https://103.149.93.224/bins/Mddos.mips" or siteurl like "https://103.149.93.224/bins/Mddos.mips" or url like "https://103.149.93.224/bins/Mddos.mips" or domainname like "https://103.149.93.224/bins/Mddos.arm5" or siteurl like "https://103.149.93.224/bins/Mddos.arm5" or url like "https://103.149.93.224/bins/Mddos.arm5" or domainname like "https://103.149.93.224/bins/Mddos.x86_64" or siteurl like "https://103.149.93.224/bins/Mddos.x86_64" or url like "https://103.149.93.224/bins/Mddos.x86_64" or domainname like "www.baojunwakuang.asia" or siteurl like "www.baojunwakuang.asia" or url like "www.baojunwakuang.asia" or domainname like "https://103.149.93.224/bins/Mddos.mpsl" or siteurl like "https://103.149.93.224/bins/Mddos.mpsl" or url like "https://103.149.93.224/bins/Mddos.mpsl" or domainname like "Auto.c3pool.org:19999" or siteurl like "Auto.c3pool.org:19999" or url like "Auto.c3pool.org:19999" |
Detection Query 2 : | dstipaddress IN ("103.149.93.224","159.75.47.123") or srcipaddress IN ("103.149.93.224","159.75.47.123") |
Detection Query 3 : | sha256hash IN ("2e6fecefa3062d2306124e014643a14066981f4865dedbeffb8c1d057dc650b2","2c0261e6a3590e3554202116c5398637d0d7900895646d0aaf46d117aadd1612","f838c2ec86c444d09956934948a28ff6459da7afe820682ead81e4a95deb703a","8350cd4e9b2f1056c8ccdf0d1b2406b32634840aa304d535ad4b6be5b365275c","39ead6055306739ab969a3531bde2050f556b05e500894b3cda120178f2773be","90e28c0d2f2ce83164c2bfdcf42a8746ff055b35b81c95d4b18639b1f2e96885","d5c55f18b1a7c01d3e4fb657b00aa677784640fef3c1742243a65ded07aeccc6","4ad4fe754acde2f79ced013d7dc7260e111ea23c7a47001e3fb16aa5d268852a")
|
Reference:
https://cyble.com/blog/v3g4-mirai-botnet-evolves/