Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

At Elastic Security Labs, we uncovered a sophisticated Linux malware campaign exploiting Apache2 servers since March 2024. Attackers used multiple malware families, including KAIJI (DDoS) and RUDEDEVIL (crypto miner), along with custom tools for persistence and control. They leveraged C2 channels disguised as kernel processes, Telegram bots, and cron jobs. The investigation suggests a potential Bitcoin/XMR mining scheme tied to gambling APIs, hinting at money laundering. Continuous malware development was observed through a file share hosting fresh KAIJI samples. The research provides an in-depth analysis of the attack tactics, persistence methods, and C2 infrastructure.

Are you interested in this research? Our full paper is available at Elastic Security Labs!