Outlaw Botnet Targets Linux Systems, Exploiting Weak or Default SSH Credentials

• Hackers target Linux environments, exploiting weak SSH credentials to deploy a Perl-based crypto-mining botnet.
• The botnet dynamic strategy combines an advanced understanding of Linux with persistent crypto-mining and botnet operations.
• This incident sheds light on significant security vulnerabilities faced by organizations globally.

The cybercrime group Outlaw, or “Dota,” is actively exploiting weak or default SSH credentials to deploy a Perl-based crypto-mining botnet targeting Linux systems. Recent evidence provided by Kaspersky highlights the botnet's methods, victims, and strategies. 

Outlaw attackers access Linux machines by exploiting unsecured SSH accounts, downloading malware components using utilities like wget or curl. 

A compromised machine is typically seeded with an initial script (tddwrt7s.sh) to install malicious files, such as the dota.tar.gz archive, which contains the perpetrating tools. Notably, attackers utilize multiple utilities to ensure compatibility throughout varying system setups.

To maintain persistence, attackers manipulate .ssh folders by replacing public SSH keys. They also employ obfuscated Perl scripts disguised as legitimate processes, using IRC-based botnets for command-and-control communication.

The attackers leverage a hijacked XMRig (version 6.19.0) cryptocurrency miner. This modified version mines Monero using CPU resources. Configured for high efficiency, their setup even connects to mining pools accessible via Tor, further concealing their operations. 

The group's goal is to maximize mining profits while crippling system performance, according to the Kaspersky security report.

Telemetry data indicates that Outlaw's activities span across multiple regions, with the United States, Germany, Brazil, Italy, and Singapore among the most affected. 

Notably, the group experienced a surge in activity beginning March 2025 following a brief dormant period from December 2024 to February 2025.