New CondiBot Variant and ‘Monaco’ Cryptominer Expand Threats to Network Devices

Over recent years, attackers ranging from nation-state groups to financially driven criminal actors have steadily shifted their focus toward routers, firewalls, and other network devices.

These devices sit at the core of enterprise environments, making them ideal entry points for long-term access or large-scale disruption.

Two newly discovered malware strains confirm this threat has now extended beyond high-end espionage operations and into the world of botnet operators and cryptocurrency miners.​

On March 6, 2026, two previously undocumented malware samples were captured targeting Linux-based network devices.

The first is a new variant of CondiBot, a DDoS botnet derived from the well-known Mirai malware family, designed to turn compromised Linux systems into remotely controlled attack nodes.

The second is a cryptomining operation called “Monaco,” written in Go 1.24.0, that scans the internet for exposed SSH servers, breaks in using brute-force techniques, and secretly mines Monero cryptocurrency on compromised machines.

Neither sample had been previously flagged on major threat intelligence platforms, including VirusTotal, ThreatFox, or Hybrid Analysis.​

Eclypsium researchers identified both malware strains through ongoing monitoring of network infrastructure threats, noting that the targeting of devices — including but not limited to Fortinet equipment — is now shared between nation-state actors and financially motivated cybercriminals.

The CondiBot variant carries an internal string identifier labeled “QTXBOT,” not seen in any prior Condi reports, possibly indicating an unreported fork.

Monaco sends stolen SSH credentials to a command-and-control server on Alibaba Cloud Singapore, pointing to a threat actor with notably low operational security.​

What makes both threats particularly concerning is their multi-architecture design.

CondiBot supports ARM, MIPS, x86, and x86_64 platforms, meaning it can run on virtually any vulnerable Linux device regardless of the hardware vendor.

Monaco is similarly compiled for multiple architectures including ARM32, ARM64, and MIPS, giving it reach across IoT devices, routers, and servers.

These two strains show how financially motivated actors are now exploiting the same network blind spots once associated with advanced persistent threat groups.​

The broader threat picture adds weight to these discoveries. The 2025 Verizon Data Breach Investigation Report recorded an eightfold increase in vulnerability exploitation against network devices, with a median patch time of 30 days and a median exploit time of zero.

Google’s Threat Intelligence Group found that nearly a quarter of zero-day vulnerabilities exploited in 2025 targeted network and security technologies. This confirms network devices are now a primary battlefield for both espionage and financially driven threats.​

How CondiBot Digs In and Stays Active

Once CondiBot lands on a device, it uses a layered delivery approach, cycling through multiple file transfer utilities — wget, curl, tftp, and ftpget — to ensure the payload reaches the target even if some tools are unavailable.

The bot then registers with its command-and-control server, sending a registration packet to identify the compromised node before waiting for attack instructions.​

What makes this variant especially persistent is its ability to disable system reboot utilities by setting their file permissions to 000, stripping the device of normal recovery capabilities.

It also manipulates the hardware watchdog to keep itself active, while hunting and killing competing botnet processes on the same machine, including one linked to the Sora botnet family.

The variant registers 32 attack handlers — more than earlier Condi versions — likely representing new flood techniques and protocol-level methods that expand the range of targets it can strike.​

Organizations should audit network-facing devices for unauthorized processes and unexpected connections. Weak or default SSH credentials must be replaced immediately, and SSH access restricted to trusted IP addresses.

Firmware on routers, firewalls, and IoT devices should stay up to date, and end-of-life hardware with no available patches should be isolated or decommissioned. Monitoring unusual CPU activity can help detect cryptomining like Monaco before it causes sustained damage.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New CondiBot Variant and ‘Monaco’ Cryptominer Expand Threats to Network Devices appeared first on Cyber Security News.