Outlaw
Outlaw, also known as Dota and sometimes referred to in reporting as Shellbot, is a long-running Linux-focused crypto-mining botnet and auto-propagating malware package. It is commonly described as Perl-based and typically gains initial access by brute-forcing or otherwise abusing weak or default SSH credentials. After compromise, it deploys shell-script stages that download an archive such as dota.tar.gz or dota3.tar.gz, unpack malware into hidden directories including .configrc5, .configrc6, or .rsync, and establish persistence through SSH authorized_keys replacement and cron jobs. A recurring persistence artifact is an attacker SSH key marked with the comment string "mdrfckr"; reporting also links the SHA-256 a8460f446be540410004b1a8db4083773fa46f7fe76fa84219c93daa1669f8f2 to a widely observed Outlaw/Shellbot authorized_keys artifact.
Observed Outlaw components include a modified XMRig Monero miner disguised with names such as kswapd0, an IRC-based Perl backdoor often described as STEALTH SHELLBOT, and a brute-force propagation component called BLITZ. The miner has been reported as modified XMRig 6.19.0 and 6.22.1 variants, configured for CPU-only Monero mining, high CPU usage, multiple mining pools, and in some cases Tor-accessible pools. The malware kills competing miners and other high-CPU processes, may optimize mining performance via MSR writes and hugepages, and may remove or lock XMRig configuration files to preserve embedded settings. The IRC backdoor disguises itself as an rsync process, connects to hardcoded IRC infrastructure over port 443, and supports command execution, DDoS, port scanning, file download, and HTTP upload. Some variants also use socat-based forwarding for command-and-control resilience.
Outlaw also propagates laterally and externally through SSH. The BLITZ component performs multi-threaded SSH brute-force attacks using credentials and targets retrieved from command-and-control infrastructure, changes victim passwords after successful compromise, performs reconnaissance, exfiltrates collected host data, scans local subnets for additional SSH-accessible systems, and transfers the malware package onward from infected hosts. Reporting describes both automated behavior and direct human operator interaction during some intrusions. Defense-evasion and persistence behaviors include hidden directories, base64 decoding, Perl obfuscation, UPX-packed binaries, chattr-based immutability, deletion and recreation of .ssh directories, insertion of attacker-controlled authorized_keys entries, and watchdog scripts to restart components.
Public reporting cited in the content associates Outlaw with the so-called Outlaw Hacking Group first identified by Trend Micro in 2018. Victim telemetry mentioned in the content shows activity concentrated in the United States, with additional victims in Germany, Italy, Thailand, Singapore, Taiwan, Canada, and Brazil. Reported infrastructure and indicators include command-and-control server 45.9.148.99, the Monero wallet 483fmPjXwX75xmkaJ3dm4vVGWZLHn3GDuKycHypVLr9SgiT6oaZgVh26iZRpwKEkTZCAmUS8tykuwUorM3zGtWxPBFqwuxS, and recurring SSH client fingerprints tied to campaign evolution, including hassh 03a80b21afa810682a776a7d42e5e6fb with banner SSH-2.0-libssh_0.11.1 in April 2026. High-confidence behavioral indicators include rapid post-login reconnaissance, .ssh replacement, chattr -ia or lockr -ia usage, competitor cleanup, cron persistence, and deployment of miner and IRC backdoor components on Linux hosts.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
According to this article, this apparently belong to the "Outlaw Hacking Group" which was first identified by TrendMicro in 2018.
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Following successful SSH brute-force authentication, the malware replaces the existing SSH authorized_keys file with a new version containing a malicious SSH public key... The malware then changes the user credentials for the authenticated account by entering a new password using the passwd utility.
Execution
3 techniques
Execution
In both scripts, the malware installs cron jobs that execute its binaries at regular intervals and on system reboots.
Persistence
3 techniques
Persistence
In both scripts, the malware installs cron jobs that execute its binaries at regular intervals and on system reboots.
Following successful SSH brute-force authentication, the malware replaces the existing SSH authorized_keys file with a new version containing a malicious SSH public key... The malware then changes the user credentials for the authenticated account by entering a new password using the passwd utility.
Privilege Escalation
3 techniques
Privilege Escalation
In both scripts, the malware installs cron jobs that execute its binaries at regular intervals and on system reboots.
Following successful SSH brute-force authentication, the malware replaces the existing SSH authorized_keys file with a new version containing a malicious SSH public key... The malware then changes the user credentials for the authenticated account by entering a new password using the passwd utility.
Stealth
5 techniques
Stealth
These init scripts all use variable-based string concatenation obfuscation... The run script contains three base64-encoded blobs... obfuscated perl scripts are identified... Additionally, the malware's binaries are packed with UPX.
Another file from the hidden directory, a/kswapd0, is an ELF packed using UPX...
For persistence purposes, the attackers used the following command to wipe the existing SSH setup... cd ~ && rm -rf .ssh && mkdir .ssh ...
Following successful SSH brute-force authentication, the malware replaces the existing SSH authorized_keys file with a new version containing a malicious SSH public key... The malware then changes the user credentials for the authenticated account by entering a new password using the passwd utility.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
6 techniques
Discovery
Below are the Outlaw TTPs identified from our malware analysis... Discovery System Owner/User Discovery T1033
The malware scans the local subnet of newly compromised systems, identifying additional SSH-accessible machines to attack.
Below are the Outlaw TTPs identified from our malware analysis... Discovery System Network Connections Discovery T1049
The attacker immediately performed basic reconnaissance by running the w command to check who was logged in and then executing ps to see what processes were running.
Lateral Movement
1 technique
Lateral Movement
Collection
2 techniques
Collection
Command and Control
4 techniques
Command and Control
This Perl script is an IRC-based botnet client... By default, it connects to a hardcoded IRC server over port 443 using randomly generated nicknames, joining predefined channels to await commands...
STEALTH SHELLBOT for remote control via IRC C2... SHELLBOT scripts operate as IRC-based backdoors, allowing attackers to remotely control infected machines via predefined commands sent through an IRC channel.
Exfiltration
1 technique
Exfiltration
Impact
2 techniques
Impact
Other
1 technique
Other
The malware ensures dominance by killing competing brute-forcers and miners... the run script will start the stop script, which is a typical script that bring down the defenses of any known miner configurations any known miner configurations and kill any known miner processes
IOCs tracked for this family
53 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Linux botnet/backdoor that compromises exposed SSH services, installs persistence by replacing or creating ~/.ssh/authorized_keys with an attacker-controlled public key tagged "mdrfckr", and uses infected hosts to scan for and compromise additional systems.
A Linux-focused Perl-based crypto-mining botnet that brute-forces or abuses weak/default SSH credentials, installs persistence via SSH authorized keys and cron, deploys an IRC backdoor, kills competing miners/processes, and hijacks system resources for Monero mining.
Outlaw is a long-running SSH brute-force botnet/cryptomining malware family that persists by writing an authorized_keys file with the comment string "mdrfckr", changes passwords, performs reconnaissance, and removes competing malware or access mechanisms via cleanup scripts such as /tmp/secure.sh.
Referenced as a comparable/overlapping Linux botnet playbook/ecosystem to the SSHStalker activity; no additional functional details provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.