Malware - New CondiBot Variant and Monaco Cryptominer Threaten

What Happened

In a worrying development for network security, two new malware variants have emerged, targeting Linux-based network devices. The first is a new variant of CondiBot, a DDoS botnet derived from the notorious Mirai malware family. This variant transforms compromised systems into attack nodes, enabling extensive network disruptions. The second malware, called Monaco, is a cryptominer that exploits exposed SSH servers to mine Monero cryptocurrency secretly. Both strains highlight the increasing focus on network infrastructure by attackers, including nation-state groups and financially motivated criminals.

On March 6, 2026, researchers from Eclypsium identified these previously undocumented malware samples. They noted that the targeting of devices, such as Fortinet equipment, is now a shared tactic among various threat actors. This shift indicates a broader trend where financially motivated actors are exploiting vulnerabilities in network devices, once primarily associated with advanced persistent threats.

Who's Being Targeted

The CondiBot variant and Monaco malware are designed to target a wide range of devices, including routers, firewalls, and other Linux-based network equipment. Their multi-architecture compatibility means they can infect virtually any vulnerable device, regardless of the hardware vendor. This broad reach makes them particularly dangerous, as they can infiltrate both enterprise and IoT environments.

The 2025 Verizon Data Breach Investigation Report revealed a staggering eightfold increase in vulnerability exploitation against network devices. With a median exploit time of zero days, this trend underscores the urgent need for organizations to bolster their defenses against such attacks. The rise in exploitation of network devices indicates that they are now a primary battlefield for both espionage and financially driven threats.

Signs of Infection

Once CondiBot infiltrates a device, it employs a layered delivery approach to ensure its payload reaches the target. It utilizes various file transfer utilities, such as wget and curl, to maintain persistence. Notably, this variant can disable system recovery utilities, making it challenging to remove once installed. It also registers with its command-and-control server, awaiting instructions for further attacks.

Monaco, on the other hand, operates by scanning for exposed SSH servers, using brute-force techniques to gain access. Once inside, it begins mining Monero, which can lead to significant resource drain and operational disruption. Monitoring unusual CPU activity is crucial for detecting such cryptomining activities before they escalate into more severe issues.

How to Protect Yourself

Organizations must take proactive measures to safeguard their network devices against these emerging threats. Here are some recommended actions:

• Audit network-facing devices for unauthorized processes and unexpected connections.
• Replace weak or default SSH credentials immediately and restrict SSH access to trusted IP addresses.
• Ensure firmware on routers, firewalls, and IoT devices is kept up to date.
• Isolate or decommission end-of-life hardware that lacks available patches.

By implementing these strategies, organizations can better defend against the evolving landscape of malware threats targeting their network infrastructure.