Network security has been significantly impacted by the emergence of two new malware strains, CondiBot and Monaco. These sophisticated threats are compromising network devices, including routers and IoT equipment, to use them for distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining. This development signals a concerning evolution in the tactics employed by threat actors, who are increasingly targeting the core infrastructure organizations rely on.
The discovery was made on March 6, 2026, when security researchers identified these previously undocumented malware strains. CondiBot is a DDoS botnet built upon the well-known Mirai framework, specifically designed to infect Linux-based network devices and transform them into remotely controlled nodes. Its primary function is to flood targeted systems with overwhelming traffic, disrupting their availability. Meanwhile, the Monaco strain operates as a sophisticated SSH scanner and cryptocurrency miner, written in Go 1.24.0. It infiltrates servers, routers, and IoT devices by brute-forcing weak SSH credentials and subsequently deploys Monero cryptocurrency mining software without detection. Notably, neither of these malware campaigns had been previously flagged on major threat intelligence platforms like VirusTotal, ThreatFox, or Hybrid Analysis.
CondiBot and Monaco: A New Wave of Network Device Exploitation
Researchers at Eclypsium identified both malware strains and highlighted a significant trend: the exploitation of network infrastructure is no longer confined to nation-state advanced persistent threat (APT) groups. These findings underscore a growing pattern where financially motivated actors, including those involved in cryptocurrency mining, are actively leveraging the same vulnerabilities that state-sponsored hackers have historically favored. The broader cybersecurity landscape supports this concern. According to the 2025 Verizon Data Breach Investigation Report, there was an alarming 8x increase in vulnerability exploits targeting network devices. The report also noted that the median time to exploit these vulnerabilities was a mere zero days, while the median time to patch them stretched to 30 days.
Further supporting this trend, Google Threat Intelligence Group found that nearly a quarter of all zero-day vulnerabilities exploited in 2025 specifically targeted network and security systems. This indicates that the attack surface presented by network devices is rapidly becoming a primary battleground for cyber adversaries. The inherent difficulty in defending these devices stems from a fundamental visibility gap in most enterprise environments. Traditional endpoint detection and response (EDR) tools are typically blind to the embedded firmware layers of network appliances. Since these devices cannot run conventional security agents, attackers can operate undetected for extended periods, quietly harvesting compute power or laying the groundwork for more extensive attacks against downstream targets.
CondiBot’s Infection Mechanism and Persistence Tactics
CondiBot’s infection process commences immediately upon compromising a vulnerable Linux device. It employs a versatile payload delivery method, cycling through multiple file transfer utilities such as wget, curl, tftp, and ftpget. This approach ensures that the malicious binary can be successfully delivered to the target, irrespective of the specific tools available on the device. Once the binary is executed, CondiBot takes immediate action to prevent its removal by disabling the system’s reboot utilities. It achieves this by setting their file permissions to 000, effectively preventing a simple restart from clearing the infection. Subsequently, the malware connects to a command-and-control (C2) server and registers itself using a unique bot identifier.
Following successful registration, CondiBot enters a waiting state, actively listening for attack commands from its C2 server. Upon receiving an order, it deploys one of its 32 registered attack handlers against the designated target. This represents a significant increase in functionality compared to earlier Condi variants documented by Fortinet in 2023, which featured far fewer attack modules. Security analysts extracted a string labeled “QTXBOT” from the binary, an internal identifier that has not been observed in any prior Condi documentation. This suggests that CondiBot may be a forked variant or a building block maintained by a different developer group. Additionally, the malware actively terminates competing botnets running on the same infected device, including processes identified as /bin/sora, ensuring complete control over the compromised system’s resources. It also manipulates the hardware watchdog to maintain continuous device operation, making the infection exceptionally difficult to remove without direct physical intervention.
Organizations are strongly advised to implement robust security measures to counter these emerging threats. This includes enforcing the use of strong, unique SSH credentials and disabling default passwords on all internet-facing devices. Furthermore, implementing firmware integrity monitoring for routers, firewalls, and IoT equipment is crucial. Given the potential for exploits to occur within zero days, patches should be applied as rapidly as possible. Continuous monitoring for unusual outbound traffic and unexpected processes running on network appliances is also highly recommended.