CondiBot is a Mirai-based DDoS botnet targeting Linux-based network devices and other vulnerable Linux systems. Researchers reported previously undocumented samples on March 6, 2026, describing it as a new CondiBot variant or fork derived from the Mirai malware family. It is designed to compromise devices and convert them into remotely controlled nodes for distributed denial-of-service attacks.
The malware supports multiple architectures, including ARM, MIPS, x86, and x86_64, enabling it to target routers, IoT devices, servers, and similar Linux-based infrastructure. After infection, CondiBot uses multiple file-transfer utilities such as wget, curl, tftp, and ftpget to deliver its payload. It connects to command-and-control infrastructure, registers itself using a unique bot identifier, and then waits for attack commands. Researchers reported that it can dispatch one of 32 registered attack handlers against specified targets, exceeding the number of attack modules seen in earlier Condi variants.
For persistence and operational continuity, CondiBot disables system reboot utilities by setting their permissions to 000 and manipulates the hardware watchdog to keep the infected device running without interruption. It also kills competing malware on infected devices, including a process named /bin/sora associated with the Sora botnet family. Analysts extracted the internal string "QTXBOT" from the binary; this string had not appeared in prior Condi reporting and may indicate a forked or separately maintained build.
The reporting associates CondiBot with the broader trend of financially motivated actors increasingly targeting network infrastructure, although no specific threat actor attribution was provided in the content. The malware was observed in the context of attacks against Linux-based network devices, with defenders advised to monitor for unusual outbound traffic and unexpected processes on network appliances.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Once the binary executes, it immediately disables the system’s reboot utilities by setting their file permissions to 000, preventing a simple restart from clearing the infection. It then connects to a command-and-control (C2) server and registers itself using a unique bot identifier.
It also manipulates the hardware watchdog to keep itself active, while hunting and killing competing botnet processes on the same machine, including one linked to the Sora botnet family.
The first, named CondiBot, is a DDoS botnet built on the well-known Mirai framework, designed to infect Linux-based network devices and transform them into remotely controlled nodes capable of flooding targeted systems with overwhelming traffic.
The first is a new variant of CondiBot, a DDoS botnet derived from the well-known Mirai malware family, designed to turn compromised Linux systems into remotely controlled attack nodes... The variant registers 32 attack handlers — more than earlier Condi versions — likely representing new flood techniques and protocol-level methods that expand the range of targets it can strike.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Mirai-based DDoS botnet targeting Linux-based network devices. It uses multiple file transfer utilities for payload delivery, disables reboot utilities for persistence, connects to a C2 server, supports 32 attack handlers, kills competing botnets, and manipulates the hardware watchdog to maintain infection.
A Mirai-derived Linux DDoS botnet targeting network devices. It uses multiple file transfer tools for payload delivery, registers with a C2 server, disables reboot utilities by changing permissions, manipulates the hardware watchdog for persistence, kills competing botnet processes, and supports multiple CPU architectures.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.