Sunday, June 15, 2025
HomeBotnetNew Xbash Malware Attack on Linux & Windows with Botnet, Ransomware &...

New Xbash Malware Attack on Linux & Windows with Botnet, Ransomware & Coinminer Capabilities

Published on

SIEM as a Service

Follow Us on Google News

Newly discovered Xbash malware with multiple capabilities such as  Botnet, Ransomware & Coinminer to compromise windows and Linux machine which is controlled under the Iron-based threat actor group.

Xbash malware has strong intrusion capabilities especially using ransomware and coin mining along with the self-replicative function to propagate across the infected network to compromise the vulnerable system.

It also targets the Linux-based databases to attack using its ransomware and botnet capabilities but it won’t restore the infected files after victims paid the ransom, which means that it posed as ransomware but actually destruct the infected machine data.

- Advertisement - Google News

During the research, Attackers earned around $6000 from 48 compromised victims and there is no evidence that they have been restored their files after victims paid the ransom amount.

The researchers named this new malware “Xbash”, based on the name of the malicious code’s original main module.

Previously spreading malicious Crypto-miners by Iron cyber criminals mainly targeting the windows machine and very few Linux based Database but current Xbash malware targeting the unprotected services to delete the victim’s MySQL, PostgreSQL and MongoDB databases.

Xbash Malware Attack Functionality

Xbash initial stage of attack starts by scanning the vulnerable Redis services to find out whether the target running on Windows or not.

Once it figures it out that the target is windows then it will send malicious JavaScript or VBScript payload for downloading and executing a coinminer for Windows.

Xbash author using the new unknown technique to scan the vulnerable servers in the enterprise Intranet.

Malware authors developed this Xbash malware using phyton and later it’s being converted into PE executable using PyInstaller because Python can be easier and faster than in C, C++.

The researcher said, “PyInstaller’s code compilation, code compression/conversion, and optional code encryption together work to obfuscate the indicators of malicious behavior. This obfuscation helps the malware to defeat detection by antivirus/antimalware engines or static analysis.”

Also, PyInstaller help to create a binary for cross-platform such as windows, Apple macOS and Linux.

After the successful infection on the victim’s machine, it communicates with its Command and control servers using its bunch of hardcoded domains.

In this case, there are 3  kinds of C2 traffic has been established based on the HTTP protocol communication.

  1. One for fetching a list of IP addresses or domains for scanning
  2. One for fetching a list of weak passwords, in addition to using hard-coded passwords
  3. One for reporting scan results

Scanning And Exploitation

Unlike other botnets like Mirai and Gafgyt, Xbase malware not only scan the IP address but it extending the targets to public websites by targeting domains as well as IP addresses.

During the scanning process, Xbash will also request C2 server via URI “/p” to fetch a list of weak passwords for brute force.

Once Xbash malware successfully finds the specific open ports weak credentials or exploitable, unpatched vulnerability then it will report to the attacker via command and control server.

Xbash exploiting Redis vulnerability

Also when Xbash Malware finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation and it uses Redis and HTTP service to determine if the vulnerable Redis service is installed on Linux or Microsoft Windows.

According to Palo Alto Networks Research, If Xbash successfully logs in to a service including MySQL, MongoDB, and PostgreSQL, it will delete almost all existing databases in the server (except for some databases that stored user login information), create a new database named “PLEASE_READ_ME_XYZ”, and insert a ransom message into table “WARNING” of the new database.

The researcher also finds that all version of  Xbash contains Python class named “LanScan”. Its functions are to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs and the chances of finding vulnerable services within an Intranet is much higher than over the public Internet. We believe that is the main motivation of Xbash’s Intranet scanning code. Researchers said.

Related Read

Dangerous Android Malware that Steals Banking Credentials, Call Forwarding, Keylogging, and Ransomware Activities

Android Device With Open ADB Ports Exploited to Spread Satori Variant of Mirai Botnet

60,000 Android Devices are Infected with Malicious Battery Saver App that Steals Various Sensitive Data

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Cybercriminals Exploiting Expired Discord Invite Links to Deploy Multi-Stage Malware

Recent investigations by Check Point Research have uncovered a sophisticated malware campaign that leverages...

Interpol Dismantles 20,000 Malicious IPs and Domains Tied to 69 Malware Variants

In a landmark global cybercrime crackdown, INTERPOL’s Operation Secure has seen the takedown of...

New Secure Boot Vulnerability Allows Attackers to Install Malware in PC and Server Boot Processes

Security researchers from Binarly have uncovered a major software vulnerability in the Unified Extensible...