Network infrastructure is increasingly becoming a prime target for cyber threats, with new malware strains like a **CondiBot variant** and the ‘Monaco’ cryptominer demonstrating their expanding reach. These threats leverage vulnerabilities in routers, firewalls, and other network devices, shifting the focus beyond high-end espionage to include botnets and cryptocurrency mining operations.
On March 6, 2026, cybersecurity researchers at Eclypsium identified two previously undocumented malware samples specifically targeting Linux-based network devices. The first is a new iteration of CondiBot, a Distributed Denial of Service (DDoS) botnet derived from the Mirai malware family, designed to transform compromised Linux systems into remotely controlled attack nodes. The second is a cryptominer dubbed ‘Monaco,’ which utilizes brute-force techniques to gain access to exposed SSH servers across the internet and then secretly mines Monero cryptocurrency.
New CondiBot Variant and ‘Monaco’ Cryptominer Expand Threats to Network Devices
The discoveries highlight a concerning trend: the convergence of threat actors’ motives and techniques. While nation-state actors have long targeted network infrastructure for espionage, financially driven cybercriminals are now exploiting these same weaknesses for illicit gains. Neither the identified CondiBot variant nor the Monaco cryptominer had been previously flagged on major threat intelligence platforms such as VirusTotal, ThreatFox, or Hybrid Analysis, underscoring their novelty and potential for widespread impact before detection.
The new CondiBot variant carries an internal string identifier, “QTXBOT,” which has not been previously associated with this malware family, suggesting it could be an unreported fork. Researchers noted that the ‘Monaco’ cryptominer communicates with its command-and-control server, hosted on Alibaba Cloud in Singapore, with stolen SSH credentials. This indicates a potential lack of operational security on the part of the threat actor behind this operation.
A particularly alarming aspect of both malware strains is their multi-architecture design. The CondiBot variant is engineered to support ARM, MIPS, x86, and x86_64 platforms, allowing it to infect a wide array of Linux-based devices regardless of their hardware. Similarly, Monaco is compiled for multiple architectures, including ARM32, ARM64, and MIPS, granting it access to a broad range of Internet of Things (IoT) devices, routers, and servers.
These findings align with broader industry trends regarding network device vulnerabilities. The 2025 Verizon Data Breach Investigations Report indicated an eightfold increase in the exploitation of vulnerabilities in network devices, with a median patch time of 30 days and a median exploit time of just zero days. Google’s Threat Intelligence Group also reported that nearly a quarter of zero-day vulnerabilities exploited in 2025 targeted network and security technologies, reinforcing the notion that network devices are a critical battleground for both espionage and financially motivated attacks.
How CondiBot Digs In and Stays Active
Once the CondiBot variant gains access to a device, it employs a multi-stage delivery mechanism. It systematically attempts to download the payload using an array of file transfer utilities, including wget, curl, tftp, and ftpget. This layered approach ensures that the malware can establish a foothold even if some of these common tools are not available on the compromised system.
Following successful delivery, the bot establishes communication with its command-and-control server. It sends a registration packet to identify the newly compromised node and awaits further instructions for conducting attacks. This communication channel is crucial for its operation as a botnet.
The persistence techniques employed by this variant are particularly noteworthy. CondiBot can disable system reboot utilities by altering their file permissions to 000, effectively removing the device’s normal recovery capabilities. It also manipulates the hardware watchdog timer to ensure its continuous operation and actively hunts and terminates processes associated with competing botnets, including those linked to the Sora botnet family. This new variant registers 32 attack handlers, an increase from previous Condi versions, suggesting the incorporation of new flood techniques and protocol-level attack methods that expand its attack repertoire.
To mitigate these emerging threats, organizations should conduct thorough audits of their network-facing devices, looking for unauthorized processes and unexpected network connections. Replacing weak or default SSH credentials with strong, unique passwords and restricting SSH access to trusted IP addresses are critical steps. Maintaining up-to-date firmware on all routers, firewalls, and IoT devices is essential, and end-of-life hardware that no longer receives security patches should be isolated or decommissioned. Monitoring for unusual CPU activity can also serve as an early indicator of cryptomining operations, such as Monaco, before significant damage occurs.